Analysis
-
max time kernel
224s -
max time network
224s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-05-2024 16:28
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Resource
win11-20240419-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Malware Config
Signatures
-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C9B8.tmp mimikatz -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
NotPetya.exeC9B8.tmpPolyRansom.exeUckEskUQ.exePKEcQwIw.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exepid process 2996 NotPetya.exe 3764 C9B8.tmp 1728 PolyRansom.exe 776 UckEskUQ.exe 3032 PKEcQwIw.exe 4864 PolyRansom.exe 460 PolyRansom.exe 2688 PolyRansom.exe 1036 PolyRansom.exe 1008 PolyRansom.exe 1056 PolyRansom.exe 2372 PolyRansom.exe 4768 PolyRansom.exe 2828 PolyRansom.exe 4200 PolyRansom.exe 3516 PolyRansom.exe 1348 PolyRansom.exe 240 PolyRansom.exe 4676 PolyRansom.exe 1624 PolyRansom.exe 1488 PolyRansom.exe 1204 PolyRansom.exe 820 PolyRansom.exe 4336 PolyRansom.exe 3784 PolyRansom.exe 2476 PolyRansom.exe 756 PolyRansom.exe 4148 PolyRansom.exe 3468 PolyRansom.exe 2664 PolyRansom.exe 3732 PolyRansom.exe 3892 PolyRansom.exe 3128 PolyRansom.exe 4984 PolyRansom.exe 2368 PolyRansom.exe 1156 PolyRansom.exe 3832 PolyRansom.exe 4584 PolyRansom.exe 4272 PolyRansom.exe 3988 PolyRansom.exe 4840 PolyRansom.exe 2372 PolyRansom.exe 3012 PolyRansom.exe 2624 PolyRansom.exe 1704 PolyRansom.exe 1804 PolyRansom.exe 788 PolyRansom.exe 3044 PolyRansom.exe 1168 PolyRansom.exe 5048 PolyRansom.exe 392 PolyRansom.exe 5000 PolyRansom.exe 4332 PolyRansom.exe 4864 PolyRansom.exe 772 PolyRansom.exe 2828 PolyRansom.exe 568 PolyRansom.exe 2164 PolyRansom.exe 4296 PolyRansom.exe 2972 PolyRansom.exe 2224 PolyRansom.exe 3832 PolyRansom.exe 540 PolyRansom.exe 4612 PolyRansom.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4872 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
PolyRansom.exeUckEskUQ.exePKEcQwIw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\UckEskUQ.exe = "C:\\Users\\Admin\\hYMEAsUA\\UckEskUQ.exe" PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PKEcQwIw.exe = "C:\\ProgramData\\DmUwMkwo\\PKEcQwIw.exe" PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\UckEskUQ.exe = "C:\\Users\\Admin\\hYMEAsUA\\UckEskUQ.exe" UckEskUQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PKEcQwIw.exe = "C:\\ProgramData\\DmUwMkwo\\PKEcQwIw.exe" PKEcQwIw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
UckEskUQ.exedescription ioc process File created C:\Windows\SysWOW64\shell32.dll.exe UckEskUQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe UckEskUQ.exe -
Drops file in Program Files directory 64 IoCs
Processes:
InfinityCrypt.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\psmachine_64.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Comb_field_White@1x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\vcruntime140.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\ca-Es-VALENCIA.pak.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\gd.pak.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\ug.pak.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\VisualElements\SmallLogoCanary.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\onnxruntime.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\am.pak.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ro.pak.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_km.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\concrt140.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge_200_percent.pak.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_xd.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F InfinityCrypt.exe -
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exeNotPetya.exedescription ioc process File created C:\Windows\perfc rundll32.exe File created C:\Windows\dllhost.dat rundll32.exe File created C:\Windows\perfc.dat NotPetya.exe File opened for modification C:\Windows\perfc.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InfinityCrypt.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InfinityCrypt.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3588004638" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31105231" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" IEXPLORE.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4824 reg.exe 3108 reg.exe 2440 reg.exe 4588 reg.exe 1612 reg.exe 3744 reg.exe 2980 reg.exe 328 reg.exe 652 reg.exe 4500 reg.exe 788 reg.exe 2972 reg.exe 2664 reg.exe 1976 reg.exe 1516 reg.exe 3708 reg.exe 3392 reg.exe 4880 reg.exe 1344 reg.exe 2860 reg.exe 3996 reg.exe 3188 reg.exe 880 reg.exe 4272 reg.exe 3568 reg.exe 2280 reg.exe 2092 reg.exe 3196 reg.exe 4824 reg.exe 3904 reg.exe 3892 reg.exe 3904 reg.exe 4856 reg.exe 820 reg.exe 4120 reg.exe 1204 reg.exe 2716 reg.exe 4256 reg.exe 4544 reg.exe 2560 reg.exe 3568 reg.exe 3176 reg.exe 4904 reg.exe 4744 reg.exe 4588 reg.exe 4624 reg.exe 3044 reg.exe 2432 reg.exe 3152 reg.exe 3732 reg.exe 3228 reg.exe 4272 reg.exe 4800 reg.exe 1200 reg.exe 772 reg.exe 1204 reg.exe 3472 reg.exe 2024 reg.exe 2624 reg.exe 788 reg.exe 684 reg.exe 4624 reg.exe 2860 reg.exe 2260 reg.exe -
NTFS ADS 7 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 195121.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 269416.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 776309.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 630903.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exerundll32.exeC9B8.tmpmsedge.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exepid process 1660 msedge.exe 1660 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 636 identity_helper.exe 636 identity_helper.exe 4988 msedge.exe 4988 msedge.exe 4288 msedge.exe 4288 msedge.exe 4872 rundll32.exe 4872 rundll32.exe 3764 C9B8.tmp 3764 C9B8.tmp 3764 C9B8.tmp 3764 C9B8.tmp 3764 C9B8.tmp 3764 C9B8.tmp 3764 C9B8.tmp 960 msedge.exe 960 msedge.exe 1728 PolyRansom.exe 1728 PolyRansom.exe 1728 PolyRansom.exe 1728 PolyRansom.exe 4864 PolyRansom.exe 4864 PolyRansom.exe 4864 PolyRansom.exe 4864 PolyRansom.exe 460 PolyRansom.exe 460 PolyRansom.exe 460 PolyRansom.exe 460 PolyRansom.exe 2688 PolyRansom.exe 2688 PolyRansom.exe 2688 PolyRansom.exe 2688 PolyRansom.exe 1036 PolyRansom.exe 1036 PolyRansom.exe 1036 PolyRansom.exe 1036 PolyRansom.exe 1008 PolyRansom.exe 1008 PolyRansom.exe 1008 PolyRansom.exe 1008 PolyRansom.exe 1056 PolyRansom.exe 1056 PolyRansom.exe 1056 PolyRansom.exe 1056 PolyRansom.exe 2372 PolyRansom.exe 2372 PolyRansom.exe 2372 PolyRansom.exe 2372 PolyRansom.exe 4768 PolyRansom.exe 4768 PolyRansom.exe 4768 PolyRansom.exe 4768 PolyRansom.exe 2828 PolyRansom.exe 2828 PolyRansom.exe 2828 PolyRansom.exe 2828 PolyRansom.exe 4200 PolyRansom.exe 4200 PolyRansom.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
UckEskUQ.exepid process 776 UckEskUQ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exeC9B8.tmpInfinityCrypt.exedescription pid process Token: SeShutdownPrivilege 4872 rundll32.exe Token: SeDebugPrivilege 4872 rundll32.exe Token: SeTcbPrivilege 4872 rundll32.exe Token: SeDebugPrivilege 3764 C9B8.tmp Token: SeDebugPrivilege 3372 InfinityCrypt.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeUckEskUQ.exepid process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 776 UckEskUQ.exe 776 UckEskUQ.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe 2096 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NotPetya.exepid process 2996 NotPetya.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2096 wrote to memory of 2856 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 2856 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3920 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1660 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 1660 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe PID 2096 wrote to memory of 3208 2096 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffefd53cb8,0x7fffefd53cc8,0x7fffefd53cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\NotPetya.exe"C:\Users\Admin\Downloads\NotPetya.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #13⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:324⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:325⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\C9B8.tmp"C:\Users\Admin\AppData\Local\Temp\C9B8.tmp" \\.\pipe\{6E4F1152-4CC5-4922-8EE3-36A21A9DA585}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\PolyRansom.exe"C:\Users\Admin\Downloads\PolyRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\hYMEAsUA\UckEskUQ.exe"C:\Users\Admin\hYMEAsUA\UckEskUQ.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank4⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank5⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank4⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\My Documents\myfile"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank4⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank5⤵
- Modifies Internet Explorer settings
-
C:\ProgramData\DmUwMkwo\PKEcQwIw.exe"C:\ProgramData\DmUwMkwo\PKEcQwIw.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"3⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"5⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"7⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"9⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"11⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"13⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"15⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"17⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"19⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"21⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"23⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"25⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"27⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"29⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"31⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"33⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"35⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"37⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"39⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"41⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"43⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"45⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"47⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"49⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV150⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"51⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"53⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"55⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"57⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"59⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"61⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"63⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"65⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"67⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom68⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"69⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom70⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"71⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom72⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"73⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom74⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"75⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom76⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"77⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom78⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"79⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom80⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"81⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV182⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom82⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"83⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom84⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"85⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom86⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"87⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom88⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"89⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom90⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"91⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom92⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"93⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom94⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"95⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom96⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"97⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom98⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"99⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom100⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"101⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom102⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"103⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom104⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"105⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom106⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"107⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom108⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"109⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom110⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"111⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1112⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom112⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"113⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1114⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom114⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"115⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom116⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"117⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom118⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"119⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom120⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"121⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom122⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"123⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom124⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"125⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom126⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"127⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom128⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"129⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1130⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom130⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"131⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom132⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"133⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom134⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"135⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom136⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"137⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom138⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"139⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom140⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"141⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1142⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom142⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"143⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom144⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"145⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom146⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"147⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1148⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom148⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"149⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom150⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"151⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom152⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"153⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1154⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom154⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"155⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1156⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom156⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"157⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1158⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom158⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"159⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1160⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom160⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"161⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom162⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"163⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1164⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom164⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"165⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1166⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom166⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"167⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom168⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"169⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1170⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom170⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"171⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1172⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom172⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"173⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1174⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom174⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"175⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1176⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom176⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"177⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom178⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"179⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1180⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom180⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"181⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom182⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"183⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1184⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom184⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"185⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom186⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"187⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1188⤵
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom188⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"189⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1189⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2189⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f189⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awssYIQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""189⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs190⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1187⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2187⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1188⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f187⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgwoksEw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""187⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1188⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs188⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1185⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2185⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1186⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f185⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1186⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZagoEgEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""185⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs186⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1183⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2183⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1184⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f183⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1184⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKgwAQgE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""183⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1184⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs184⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1181⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1182⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2181⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f181⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1182⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIMkMsQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""181⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1182⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs182⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1179⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1180⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2179⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1180⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f179⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1180⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkEUkwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""179⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs180⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1177⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1178⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2177⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f177⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1178⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAkgMksM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""177⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs178⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1175⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1176⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2175⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f175⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1176⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIowgkIA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""175⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs176⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1173⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2173⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f173⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgsUYcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""173⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs174⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1171⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2171⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1172⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f171⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWQokIYU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""171⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs172⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1169⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2169⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f169⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQooQMws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""169⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1170⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs170⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1167⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1168⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2167⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1168⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f167⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boksgscw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""167⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1168⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs168⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1165⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2165⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1166⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f165⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyEUQIMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""165⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs166⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1163⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2163⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f163⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1164⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmgQckwc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""163⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs164⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1161⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2161⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f161⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIkkowIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""161⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs162⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1159⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1160⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2159⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1160⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f159⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1160⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsMYQgIM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""159⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1160⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs160⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1157⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2157⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1158⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f157⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIQcQkgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""157⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs158⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1155⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1156⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2155⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f155⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyEcMIYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""155⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs156⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1153⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1154⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2153⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f153⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEIkIMYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""153⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs154⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1151⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2151⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f151⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1152⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYQoYMkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""151⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs152⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1149⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2149⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f149⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQYMIAUc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""149⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs150⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1147⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2147⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f147⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dykwgcUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""147⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1148⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs148⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1145⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2145⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1146⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f145⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEkQoMsw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""145⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs146⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1143⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2143⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f143⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyAoMsEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""143⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs144⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1141⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2141⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f141⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKAkIQkU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""141⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs142⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1139⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2139⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f139⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAEYEoAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""139⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1140⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs140⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1137⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2137⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f137⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYAYYAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""137⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs138⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1135⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2135⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f135⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tccUsIYw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""135⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1136⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs136⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1133⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2133⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f133⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaEYccMk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""133⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs134⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1131⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2131⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f131⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1132⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYQcMUoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""131⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs132⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1129⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2129⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1130⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f129⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywQQMYwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""129⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs130⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1127⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2127⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1128⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f127⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUoQkcAM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""127⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs128⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1125⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2125⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f125⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYMwMsYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""125⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs126⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1123⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2123⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1124⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f123⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyksgIUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""123⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1124⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs124⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1121⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2121⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f121⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIgsogcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""121⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs122⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1119⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1120⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2119⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f119⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUIQAMQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""119⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1120⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs120⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1117⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2117⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuMEsckI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""117⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs118⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1115⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2115⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1116⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f115⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uegskwEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""115⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs116⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1113⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2113⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1114⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f113⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMMskUcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""113⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs114⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1111⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2111⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f111⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsYUEkgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""111⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs112⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1109⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2109⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECkMoscQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""109⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs110⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1107⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2107⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f107⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMMwYAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""107⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs108⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1105⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2105⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f105⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWYcsEsA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""105⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs106⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1103⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2103⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f103⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMgwgIEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""103⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs104⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1101⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2101⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f101⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IicgUkIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""101⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1102⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs102⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 199⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 299⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f99⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYMYscgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""99⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs100⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 197⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 297⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGMAkMIU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""97⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs98⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 195⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 295⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f95⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSMQAwAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""95⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs96⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 193⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV194⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 293⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f93⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOMEUUkE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""93⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs94⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 191⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 291⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f91⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQgkkMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""91⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs92⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 189⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 289⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f89⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQckEMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""89⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs90⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 187⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV188⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 287⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f87⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMMAAMgQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""87⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs88⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 185⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 285⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f85⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcUogME.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""85⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs86⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 183⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 283⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f83⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruUYgYEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""83⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs84⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 181⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 281⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV182⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f81⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIoUQwQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""81⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs82⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 179⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV180⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 279⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f79⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgIUwIgE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""79⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs80⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 177⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 277⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f77⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAwsgEIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""77⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs78⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 175⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 275⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f75⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKEkUwEA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""75⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs76⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 173⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 273⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f73⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV174⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYEskgAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""73⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs74⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 171⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 271⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f71⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSAEAggQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""71⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs72⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 169⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 269⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f69⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYMgMIAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""69⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs70⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 167⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 267⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f67⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgIwoEgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""67⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs68⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 165⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 265⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f65⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYgwMIwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""65⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs66⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 163⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 263⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV164⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwQYYEUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""63⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs64⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 161⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 261⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEQgIogw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""61⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs62⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 159⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 259⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f59⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYkYAgwU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""59⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs60⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 157⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 257⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f57⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMsUYAIE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""57⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs58⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 155⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 255⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f55⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKAkgoQI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""55⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV156⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs56⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 153⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 253⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f53⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUIoUswE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""53⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs54⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 151⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 251⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f51⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgYEgUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""51⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV152⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs52⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 149⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 249⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f49⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwEMgwEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""49⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs50⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 147⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 247⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f47⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqMEEUQQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""47⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs48⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 145⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 245⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f45⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkkcgsQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""45⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs46⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 143⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 243⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f43⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEkIUIcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""43⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs44⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 141⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 241⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f41⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMAoAosQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""41⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs42⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 139⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 239⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f39⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsYAgcck.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""39⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs40⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 137⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 237⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f37⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DusUIQMQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""37⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs38⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 135⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 235⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f35⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poAQYQwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""35⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs36⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 133⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 233⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f33⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQwgEUUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""33⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs34⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 131⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 231⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV132⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f31⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKAkAgYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""31⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs32⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 129⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 229⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f29⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygMAccgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""29⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs30⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 127⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV128⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 227⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f27⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV128⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmIAUQEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""27⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs28⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 125⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 225⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f25⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOkYsYcI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""25⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs26⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 123⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 223⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f23⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIsYAQgM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""23⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs24⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 121⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 221⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f21⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UggcUEoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""21⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs22⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 119⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 219⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f19⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgUUYccw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""19⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs20⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 117⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 217⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f17⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qscgwoYw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""17⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs18⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 115⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 215⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeUUAkQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""15⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs16⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 113⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 213⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f13⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCEgEYAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""13⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs14⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 111⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 211⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f11⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JokAUgAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSgkQUcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""9⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs10⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywgQoME.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""7⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiAYIAQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wckYMMcQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2492 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6756 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5044 /prefetch:22⤵
-
C:\Users\Admin\Downloads\InfinityCrypt.exe"C:\Users\Admin\Downloads\InfinityCrypt.exe"2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\InitializeMove.gif.exe"C:\Users\Admin\Downloads\InitializeMove.gif.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\InitializeMove.gif"2⤵
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\InitializeMove.gif3⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOcMYIcQ.bat" "C:\Users\Admin\Downloads\InitializeMove.gif.exe""2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
16B
MD5d2c938b5735534f6e91e93e558c7f74a
SHA1aca3b10188bc6f4d6adc36f1e5f2b315d5874273
SHA256326c7f707a5875f12b18c05d8e9699467c450ba594539b2e7920d9ef3f6c2f1a
SHA5120077738fe7706f9e8b411ef7fca9a90c72733d0144cf46d4b4a01980b5e80736c0fb0974be6f2ac4b7d7f950b529598d24b86a7cc0b9a369270f377ac58c681c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
720B
MD5f8a66b8807ae6d4d7d5c06246e5f9bef
SHA147b92682fbd510ce2e3bdd6d848662c41526fe3a
SHA2563254d7182e7f49ec24e5572af1f62b792ec470c090d2dea3267b2bc1cd933a4e
SHA512deef18ff14066c6ff66f0ac1342acaff275b8c39b578ca2de233a54a49808370d878c10640f2a4eb590b81034586f8626afb3778a23d23adac5ce3ce11758694
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
688B
MD52be4ec2cc1fdbf35c780f6aaf1821ab5
SHA1c38faba5b6d74533addcd8dbc97e56543fc3a216
SHA25623a116971f74d6bcf2453401fefdd60d76e53c0a1d9813436b2921fcb29fe5bf
SHA512f300b10196380b453db23e6fee5f20cfbf62345bb2744d5ea3a8af4f830439f40454172584ab0b1c8dacaf682cb99ac42cd40c8c8d1350b6b79754641cc9829f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
1KB
MD52756cc9401deb2d8a30dc4e542f5f750
SHA16f19ab5e0d03deb3286c80c8bd6ad166c9eeba3f
SHA2564c6b583e7e18ecd06ab9557612f0288366d34695afb41b344bf0a58770fbcfe1
SHA5121088ea782d927c65cf4ef4b043a2df4c4168ae92388b1eea5edeae3c0adcdf2ac29d19714c4904cabca4c8af9e0096009fc496fd3d29a12a91ba5a188c086818
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
448B
MD544b62e8f4d3b1d5eaa684391ede5988d
SHA1b53eee883fad95abdd8ab812103ae77899ab6e8b
SHA256e9c1ba08f44f0651c4844556690ba6a57164514928b4709a5f7041015e1c1aeb
SHA512aee4e9d51bad957cf666303247161d80ac7708159630f743bed4bc1632c836740737de7aa84eeadc0e787cc9722fc6501bcc95429a286b17d866253559d2a050
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
624B
MD5d86c9d93f4f539c223090a8e8c882668
SHA173e8d07eedfeb37e15c335ad4b250ba7a001069a
SHA2563705a1c0e1fdfb72d9318c8427cb73d93434ede0c7ae9dcc5bcd63fde659b412
SHA512b5828df5b7ea406e4d72fd77cbda3d45e08e1776ecddb90af68d7344aec0ede7e01d32adf663d5dbe584e32d9ff3e16cafcd66231e094e430160630f5e531a22
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
400B
MD5a49109e9701e3baedbfa52a1c8e20048
SHA138b2d8b825d484678b6181e6c777078e5acea49d
SHA256f2b8489572877362f9ebc3d33bd43543e00de943d155f73397e8318404f29c23
SHA512adac451187cdfa2003dda714cb554f93aa2e240728361c239dbf0dd69937930fb7fe9c0daa0dd3a8cbfe652012528015e7eb6e01771fd33be54b809358e26c16
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
560B
MD59fe7b6c800ef7e6520ab725d7061e138
SHA12b3500005b5f005db1281294e7e5a7bfbe13c439
SHA256878ca81181c35ad61977b1133e9bb49bbff8ae1f548998f558972a69aea8b94b
SHA512ded3bcf2ca43ea273a9ed8f4027cd96f05c412359fde5170b53a46dc3bcf8c88ab526793d604a37cdf43e66a87b10007155441ca1b982d21c5a9662e5c3ce488
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
400B
MD5142d9144e6e4b6b237f8af35fae905d6
SHA147e9f632f60a8bd05e8c4416dc732bf834175c33
SHA2564e7125c6b5483a8c391df6ceba5318297c84d3e6e8dde6d3c8e0ca845cce7a1f
SHA5128b6e0d478b5a461efc351358041486f4f12a12d60154e1a2d3e36521e488c208a8bf140eb72a727f441ac9e68196eccfbd2980f08ebd9adf3d6f9f9725c5ef55
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
560B
MD529199c4edde133d4fbfe1106301199a0
SHA1fb9dfe25dca271cc7666a49780d1a4c80e12626f
SHA256b4f32e352ddd45721a65f8055922a9db7f713d708331bfe08493722ce1176903
SHA5123651715319a2a09e95b8164c387e00c78efaeb2005f89c00f482c158340e3108d086b31ba1937f60e6f55900e56d492a7082402d67bb4aff452507f0a86845dd
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
400B
MD5009d256d66ab0fe4b35dca2b1c84e930
SHA1db4db328885a6aa1b561f6ecc74401aaca4c85c5
SHA2560e676f7b8a09b34211ce0dada0223784637d79fc7ae576b710a47028cd42000c
SHA512fc66cf1e820d5d56a3d30058276c498f911d22988e07b588512f26ae1206ec345afba61b09df474097f53e71d829519e53d20fd10e7255d00b3c1fb9b850979f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
560B
MD50eeb7380f78326a13939c63bda81c27d
SHA17e19dab96d78e3066152f501cffa41ad227cb1e7
SHA256a27cac179d00e2987da777c1a13ba6e998923bd474c1c7fbe71799f31613f9c8
SHA512d0bdc0c5282321debb21be0f10948555fee1b33910b7064aa9898b18c626d3b9d3e92c320ffea9d6d26703480072909c7b3dabf070639f042fd79a034a34370c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
7KB
MD500fbe16958e6bddad4af4a37655fdd0a
SHA136b49209a8be7c977c415fb5d9a51ada538a9d94
SHA2565fcd04dabb23944e9d2e3d8384ed0c031246f68e96b4f5154fbe80d95d2012e2
SHA512c4fc542d003ea3a38cf2445ad3ebfd38544631d174a0e681b6311c6c580c357f74ed71b7d8e458d35473811604d7093dcac51df294d18a7d02b6d63501927cf5
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
7KB
MD5324cf3ef543d7c857ed23ebe611ecf71
SHA1079881f4bb64429be1fb5235c125d25e485257a7
SHA256304103c28d0a98da0816c2d69b76b505f58371876c07b56fc35a3faf52922873
SHA51244375f345f31d623c2138d02113585ab97ad0865f9965c14709acb5934d803dd8608415ff7f444c779b08508fa3ccbcbd2f6ee5547f6e0e35a7d2967a60c1bda
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
15KB
MD53c39cc801491c6437a39fa6986cfd3b3
SHA1ebdd2a053a464c9fdac590f4c9cdd6bbb71e67a4
SHA256e7141cbbb781248798b38acc1bfd774a70c134dec4f0e2b1d0d4c5fc9ef7db10
SHA512af55e772acb2c0fb1b015c937338f2b119c1bb3800f93a70dbf9632a52406e9448622396b881f3d765a9bae5f5663332339f43c29097cdc1ede5d98e8ee4bf32
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
8KB
MD58fb4dc265839f5de57d3639e907847df
SHA11e4f4140ce11c79ce3bbbdb59f35a85501de37dd
SHA256adae37b4e7f9dc26a9a99c86a5d8a949e1ae41a4db99e12fcf1032df7699e4f1
SHA51217d3e406ea129d5ceceba44288fe170a3ed6c813e5d1a3bf0e1e6175d277287a28d060a48d3d46d9932af03daa3e97ba2e0f6e212c1e2408041d2c6a35fd1f2b
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
17KB
MD5df01f7fdb275129331dade3964672920
SHA1e6defa0c56011e2470fa977b1a9be7e35a18d190
SHA25608ee6c2750edcda0870f2c77689f99f58be6669fe1667565dd6701476227de84
SHA512c4b7c119393bfcd21c3d9b89902355988bda77f32995a3b6e4040635e13704b1f5c6d7f0fd6c330aae6d6a0a1bb55528647741f83f7ff92c32f4746094a50bab
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
192B
MD5b0396b1f78ff634bc41c1ec62d230256
SHA1dffe7280f2a933fa13b40617cf09b0a768d3e9d7
SHA25668f75512d5f4d0afcdd44d9de854131dd9f74dabec8d042cbc72b8c5d7c4f08c
SHA5126293d7d5d67b8d0601e2d97a42ae3029162d9c009e31b4a80b14c80d7990248205df6f8f4e42fe4f5a3da771b65e98d93d063ccbb18b580d13b050bcc06298d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
704B
MD57a75a684e037c73c5360d0a560574ac8
SHA1b307078b90bbf87a359c15805685387289528c0f
SHA256e4c1de76ff0424872b12ec30f987c550045e0f8ca1fb5a8025b3e2530bf042df
SHA5125e75bf9dc67327cd3f247e4663b37e68332a1f366bd5613d530d74ae4320a59e9bb9dc730b82d986bb76f7485f3b83faf633c063e8b48b198e2d06bbfba1cc71
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
8KB
MD506c236e895d1a26a44ebabd3067da655
SHA114b84e8ecc58ccbe8c9c114ff2f56d26cda32ae1
SHA256d12e256aca1cb7da9cd88f1c7ae6a5de1f1d809d2826a352e9b8527e9fd47717
SHA512c49bf29c8a43d31845dd65f3aad63f6d5944ad58ec964b1f4396009d17f7618c9240bed02c61a2524474d9069a02ff8c1bb003f52520b9802758c4f71c00aae7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
19KB
MD5611184cb53feb6f3c118f94124401049
SHA139e2ce54497433a0d83c2a09d27b8cf7dd785514
SHA2566f98be464d8406bf61e080ac64134e2600ef5d32bc12d5954f6a05b9a200fd15
SHA51208e69822f22bdf3db0bc515af702f1098ecdb41f1a52011589de141154dca140c394d590ccbd0e78e93d22a2feaad4778550d15528f3cf4a5cc74b0ac1bba9c0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
832B
MD5bc5cf381d305821930181ef9048cc46e
SHA194c728e2a6d23f87a4ef33bc71374aff6ac9891c
SHA256d5543841686bebdd87d336572d099914a602c38e91d8c22f9843f8b0ede60c3b
SHA512bd88b84a74ef1d47251bc66ba6807e11f7f022e1be174266805350431f1757924135655e30caa82123b1cbb2ee99d6342c09086a3dc809ec279527ebbd49666c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
1KB
MD5bd312151ef4d733fc338342aef8184ac
SHA171bed8c086c1fc57aa90327e7b4ec3427cb0697e
SHA2561b4b9c02bf28da061e2ebf4dd3357aeb42257a4eb15dfd09ee9ad8432337817f
SHA5129c2cb23f996b4d4de348d38fedc77e41693b993dcfe1feb6d7ae25fb64a6833c93323b4853894f387aff7dc8a7f14a71b3fd45432923044dbfc19ea20b769024
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
1KB
MD5c4839c77b9e3157b181546e970bd1fc1
SHA133d20f1ae170eb5a51d331ed74d6bb69ca0e7f17
SHA2567007bb751c78bb794369fa076905e2d0b73b702d8e4ddfe091732919579d97f7
SHA512f9052e3bf7caf012af9e9ba4bbf6b7531c7dcb351c526be48786372a48c6ce8b20633e0972c80aac6b8f0ef4083e5ed120869a1cea32bfd882b8aa4c29e31da3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
816B
MD5bc4d94d3cecbc9a7962d4c2997380cab
SHA1a21a0a37bb0aa0e18c180c439522b57b2ce138ea
SHA2560ae74e888027cf5677b85baeedbb30384c4184e1c91298f4051db45c25314a3b
SHA512743be1af0cb2ec37e541fd1b15f4c53df7cdd5b5489bf6e1d630e918361e14c0b0d6cde82c5101a473eb49ebe1f6e3d5e9602236113b02c85f90bddfd88c8ddb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
2KB
MD5e979941f0cb87deeefdb969fa4aea997
SHA1ecd467e31dc52bd0847cd4fecb3f1e46a80a056c
SHA2563d158e5a45852c4c7b937f25592764ac7b5020fac4e9bc976fb93c2921abe442
SHA512d005c5b283625ca3f320b14aee0d18ce12a8d87b90ffa61bcc0051db2ca521c79e850af2f1ff37d0fa0118e0ad0473b8fd1d25ee7cd28d1c6bc3b7ca0e456094
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
2KB
MD5cb7a269eb61226382062035a722d5675
SHA197baa15e3a77652446ea24a4b3e7bb715832d065
SHA256e3b0ccf710ee8c02eb7d0634d3aa585ba3d271f0c981d3eb6f3cf8f9d0c5f2d5
SHA512e7f5a4a7a0d83ad9e38424928078cba84bedc922819e9cf04089b96ddd047d285712ea90152ddc63f227a456cab1771e6db4d14eee35f265256c6681c15220a9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
4KB
MD5e1b7135c2e517f98449b872969ceb4e9
SHA1376fb91286d85e4e90d61e9934a193af56f3cde7
SHA2561a18a8de9dea2d5b1375244124ab6de091f03714c94423c3234859646a4e5f70
SHA5127edfe261648ca5e7c7aac80df0e24d710b150ae23a006262521503da43e7df6d91f2d28aad33bcf4b8c9e654da149dfdeb4468ed92b54779a7329402be5103b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
304B
MD5e0047a4a44e5cd47917e4044395840aa
SHA1058bb63c19b980cb7ba8650ea636d6bab3afc396
SHA25620569471fc25b628956ec57e3d355d1b92c525da1796a9cbc715ad59f4a4da51
SHA512bd3fc8ba782d5c89db2c26385038b76a1bfbac89e9bc6539370998e2e561f71baf96af3b7cf50057f8d70748aee1c0feecf379dc50f9536fbb1ccba7f37275ad
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
400B
MD56dc165b46b1339332c7ce104d5da96f9
SHA150adb22917ba2d55d70e212f81964b7c81ebfe16
SHA25623ff346350de2b3ae67c9cbacfbde3e7ed5eb980f55c88e1a22d7563463826cd
SHA512bb24274157805a6c71bd93733fc1d13174a76d11309ec8554238cfa29982710abccc4b74467078f3329d62b00191abc5ff3c1dcd25245b7c7598551d1d03e2c1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
1008B
MD54f7b5186a887bf587bca8689d4352ecf
SHA1a762fa0ce59a7d73bc968471f4c98653366d8e19
SHA25658cf21e276b2f0451974c6929c5db8b61f8f7bf180a7296dbaee5894873bf4ad
SHA5121ddf450e2fd916cc2c3556b48315ff569cc6acf093b17ea37325d95fa70c716b9d355e6f181c28bfd2a0b4afe686c69caaeab3117cc5216e348ba9ce94e22bb0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
1KB
MD58d91bce3e4ff5fe9349b40f76adf7a8d
SHA135280efc2882cb6d196f9ab51545e32c8365cd41
SHA256e43144f80186412cdb3f2cadb1b482b019987f82c4532d5d075d88bbf47ff646
SHA5124919adbb6d2b1853aab2cd4b2cad05bbfac021c689950db33be5e87dc95ab898b9617bd7b4fa8ed464e1aca510a5f1ffbb1b37860047ca3021b755980a3a4db3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
2KB
MD52469812c733332a04330317b0aeb03b3
SHA18dbfe5b10b9c28e360b38fc105a2c6a7ee6b3c93
SHA256224170be308babe0c8047f2f8210d6a81464f592ccae3155955563d5b17278b8
SHA512f812d15cf550113a40ccb801c94bf28caa77e3f8d278c02bb819e07449c2db30979262f8b0ae39da72beca2d7450817ed6c3a4c8060a3be2a5dd8c0a33c62bf9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
848B
MD5b05f089e4f1a8a7ca3c0d90063d6716a
SHA169613b407466f5d7c8c0f1e963a97aff4c73b01b
SHA2564f1807aa3a20e25367f353169895bded32199139a4a16f2b867508c2acc4edb5
SHA51278dcfd6b04f8c75d23a3823b0a25744763a7f288219936edddf57a03066e25f1c10a419f473104693c32b00407c5f339a960fcadd334b4e568d465ec668d424d
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
32KB
MD5ddba79292447bdec36f73611e406ddab
SHA1dbf8bce08e16c1560807e9d80573bb8a1c163595
SHA25695d3f49b2b6de9c13f4db38d9b1a4cf8835658a22675056641736bebf42395d4
SHA5126d65e63f97d8c7118fd6d9c6a35599ecbfaa2c1c0c81e7456944ac0d72bad7d05b301238ee9866629dc3cea2311fc0674f764eecb23ef3181c02d309eb579ec4
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
48B
MD5c747f121662fcee5686d76b25b245302
SHA1137b91c6acae519d90ced52f473478aa263259d5
SHA25698d2f6e162436dc3a10c55658c9aa01fd85a20a948076454f0b78d84b0686b54
SHA5124ebd40adfa87a3abcf21812cb1df3f65cd673dbdf16df75072b76a445e733fdbbdcdc0e907164ddba214f41a4f787052e493a3b9119b54730e70fcd1fd31f608
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Internal.msix.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
55KB
MD513f7990ef237155535e9282523802346
SHA1e7e227d6ac33aa8f2a31f1440897a1295c0d4f44
SHA256ff2355d9c3ae5886e3ae1723ebb6ab708a01c4eb3a2f0595202f96f80070ba16
SHA5127ccb0fc9baa709637443a47fa65c029ea80a8cb967b2369c994b243de89c34bc34b3245d5b6ff7278bbd176a51c710706d9d8c5ccce915a7c9e5de57f148a904
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe.manifest.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62FFilesize
1KB
MD551af83483f6bf3b58be44608769e03ad
SHA1148dcef58b0b7bb9ad0d1a7612f22dd4981b3671
SHA256bf847d1e4abe55be2abd66667cdb7a2293c593f3933a6e7469057a4b5efbb7a8
SHA512b85b34ff4afb1fc0639f181d8da2ace8dbda76b8097250256b0ef190be3b76ba4d3e4e8b3720d36c435de3fdb36485f53863f65446c520adc0b6091f47dfee1e
-
C:\ProgramData\DmUwMkwo\PKEcQwIw.exeFilesize
193KB
MD5a49c24cb33e62bdbdab1c5d5667bd730
SHA1ecbb6a06a0ab0e7250c9e235de356db1476f9d22
SHA256736ae9fd875049ebd92711b3b200470f9f107f96c07558291785cbd1e180b190
SHA512aca990b40e8c333d5097a5fe12d9452e1a2b84d16f7b07102476ed85c0bced7265581ec5b7b8e310c86d2aea0ea821baf361e1c52221e0117d1d3b45c4440208
-
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exeFilesize
769KB
MD521522f606d5224e843669fce6686d7d1
SHA1197a1a7f1d2d3f2447d920db0b4d7a92acd9ca51
SHA2568c3b933db6070615927b24a027ee6eeb187765883c8e7a4440eedb2ce00248a2
SHA512f90824157047a819cd41f1bb60bc5ca6bb9b2a845bd25875a5de5f16a7b537bad894743935e44a13197bee92424469f5888f2301a22efd67c26312bec3b1cd10
-
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exeFilesize
201KB
MD554e95f68493a0bccf7b1f91c03381321
SHA1d7dbe526a480f0d2fb7ddea1415f91cf917e7878
SHA256776ae8a1c55ad64d82fc7d36cf2a97a31fc9d62ff4f3ce4eabc9c2ee2b97da89
SHA5129d708346537a388789afb780b1f16cabbbde65fa304ae975da0b42d3ae2e4f9ee794c72f8ab34dcfc395c8c590a9a36342c70ea074897172c9f13a18b4224425
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58d5e555f6429eb64461265a024abf016
SHA105a5dca6408d473d82fe45ebc8e4843653ad55af
SHA2560344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1
SHA512be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b5710c39b3d1cd6dd0e5d30fbe1146d6
SHA1bf018f8a3e87605bfeca89d5a71776bfc8de0b47
SHA256770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f
SHA5120f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5e301441012afa72777ac0b43454617b7
SHA1e03c5a977d5bc51fb727e70ecedc6f0bb01328f8
SHA256117b411c8cc854a073ad42913bfd719a276aba7bb088cfde636554a512e87e51
SHA5124a1c1047fb14df0abb8c654568700e311de880f81d910a4647ebde5a6f26eed0208c1aecd43aa10da0b079798dd9bf6cfdbdd3f1f4a387ff4f0d856c31dec22b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD565141ee7de186b38be5e1fdaddb3d501
SHA1455647ecf2fe6d59ac8b378758eb06b9b7a4e69c
SHA256534e5e7800ffb87965af22f5b6137df74b4cf5ab7c061b0a325bb5f62c157465
SHA512d0625d5c88c342ebf59235de6d9ce14e2e9c054d6aa15cc3658a8f9fd913642374f817c41d594b77bdd17218b063047a572d1eaf4ff5c33f638550dfb9f14b37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b769e3e3b4f1283898b7c21c6d543351
SHA19a6e1e1725ddc2845f54e11b687029c1b31b6390
SHA256cf6ae59f213af9eba1f18bc4fd03715db1cf8b97ded8991f7200a282bc87c5ce
SHA5124a8213a6a8fdbbeab7f17c43cc518d8cafa0cd17ab82e7834cc6b6f232f4fd131d57173b0d0accad097ce8b78996a0d3560d94fbe3a71af9b7c986ea230a2665
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55a63704a184ff99b086e6676a3ca3a19
SHA13188f9d7d80461e67e3d1139d5fda56873fcac54
SHA256b960bce6ba5c33ed20d9ace6eb11d6c44a1be015952f8e2d0020e6fcba233bcb
SHA512b18f6736fb522a5d276686e91fbf8f58410b7bc84367b010cc91d92b1b6e40a19c5f7c516d78d684a3b12df60640334428a30bd9e7f25e16cde4d4cdd38ffd0a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c5600c9f5206129b8b34de235410e5e5
SHA1ed588c7c9478448e6cdb950e6c9327fb7a0739ee
SHA2568d2ff8ff3636e759a16e1a20e7b8347f44e006b2223d14abde014392e2ecad1b
SHA51265517c7a0df30b74ff34fc7661c72eff3a73df7b17107e4349865198aacb21792223bbe269015437ca980d781bdd7e196aac37147e815048cc905d99ab097cd2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD575f40b0a4c5ae72a2cf05f813b82ab59
SHA16335b07bf7d0b97342e9e9fc4d610b75dfc5f670
SHA2568618894bcf2579e922a9319a8217250e0ca267cb12b0f4b5662ea1b3b7b96efa
SHA512852c6433d41b0ab6d8884d96cb51ad311d370d10861027f134829a079a7d0ba294c5d157c8b467c7ce3cea33a9c409ada2dd4e3783779a46d16eb133943b3f37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50b8578ae530f44229e43afb608a98328
SHA1f0d704cf0d18617fa76e7f500543344be26fe4fa
SHA2565089c854b02aebb15068182c913cf26e66928028283015627e7dae11d24644d1
SHA5129d6381f727ba29160bdb1eb24d2cd6350935c5e185c03d94b09a803529a01046adffc4761c6f7067dd68abe51bb876729bb5654f51279da042fd4c01d2312da0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59b70dc2f61efa0dd1885cad56cb7909f
SHA181c4352efa6b10b5686f736af1f8d4285ba2d2b3
SHA256ef3d8c35997608c2f22d856ae4b66bfcfb9f52c0d90da156805492d99492c5b3
SHA5121339a5d4dc69d92717af3e3410d7d0459f66b218eb79ade584f2b479d97485758b701c38565f783063b710917fbe1e066afbdc8627445342f1aec79f7c48da3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50aa71152e9ddeb2331a331c64f9c03d5
SHA17462788a553a1424172a2520935c2015cf5acbd8
SHA256bfa28977f2b5c7868f4ac1cd2b3460c90acb55eae5aeeeaadd73cd355081bc63
SHA51211104004ddefb3d28569838b03227cc6bece96a6418333a4e2577691f9cc14c944112e6da20d19335b479b3de6e80dcc7ea5033007f22c4bf2dcfba1c3f36ff5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c54a258feb78c68067587177ded2958b
SHA127192eeed22b0ca90362cc69631518534ced8ee0
SHA256a7d16ce5a183e3365d9322a91ad58df768eed1122cab71a35f8023480e8ee53c
SHA512868f1dfb2d0806dd66a2546431166a47d1fa87ae30c853698bac15ebe6b7b3df3d2873cadb5199ea9237e31d5cdbb74cf2fddae8cfe16e6c6d0c3a9ddb611fbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD521b739822ff5f332d1fca8fddad896b6
SHA184494181e95cd27305a7df5fe7c1752545219c5f
SHA256ac1252f9bb72bab853f14cd314fa0bb85aa64fc5e493454d19d40171cab018c0
SHA5122043bf10e4d51b7a29e5aac79a0b41b4e8bd8074658bc646408eb16996ef70e00be3dbe04d6ba62a943bd3dac6e9b22e04493033bbeae770141522ef5c7cd459
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579153.TMPFilesize
874B
MD5087cba9bfcba7c168d0f7eb2f508c856
SHA1ac1dcf0346b577a0d9f3312510d0f2e4eef4d01b
SHA2569af9924bb185131c24acc0e131b569edce066d3fb7340e6116a8774ad2dc798c
SHA51224f9419042ffcf75003582a306bfeca4d0205fc13653bec43b3654a8cc2c56b5aeda30c3122b0b5b96fcc7eefc40cdda2833f23bbbcd426b9529c5772f5fec3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5cb4e5f7818776e931b10f1be050ae580
SHA1375c60111289a546162494b42340da5d6b198176
SHA256e878e7737f7c3e1d3207f7ce7e30b7d728e3bceed08c8f531a9d8124a6666b0c
SHA5129958ab3b6fb49371ccd7294577ce659f1b7df7f073c85cee516cb0b968abc7053ebd8bc3aa89ae75d7d8110a85c092639a7b9a9be70afb1abc883c541384c58d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c15940c2fc566c63ae61fe1f1530a9ab
SHA115926627e6271fa5f02cf9863d8841304dfd4be4
SHA256d88524d4989bffe67ecd218f93111eb6a2ded856dd95ad6cec1242bf958ea7b1
SHA512156bd5664e6e89c80964e28502241dc2622401eab08f9e8e4c67fea5522af023735f8118498e7ef92a043b2c7ebe2221ad0b62ac06a4bedd4191d638fcdbc70a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56b2de74edf586cf374754779d062214e
SHA15c07736ddfa526a66312537292a81076ee0ce92a
SHA256ed42812f75284ea142456e7573000ea72bf50c3b7274b6a1b2d90fc3ab5cd7ca
SHA51249d05a31641a404731121a3986cfc0614a0a1dda63b1cd7bee07f912c48579bcc2870b5f7a58f64be6446d80e8eb518fe7e1278f7865eccc60ca0b34829cb97e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD517a52ec07e323f33fcaa10a8bab64f44
SHA193666f7f8bca01fe3813e9b146eba39ac663a3ec
SHA2565ca6937bbc9bb9bac28ebff27d1933e2f362d128147456e8b7597b453585c314
SHA512020cc04cf37410e6578198dc2755ef1e6a5117452a6777fb31f88d239f164f6ad30a0d0f4a5de85980b374188806f1ecdf65ea0f7cfe45775db71919b88baa00
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exeFilesize
192KB
MD5d87daa0a5c9b7ee19a09989b17610522
SHA129c31279f624e7c1e3eba802db48710b84617345
SHA2561fb9e21641865dc6cd53bc14b0ed95ac5229d82aa2b55509cd14d9155c2f0321
SHA512defa8bb850c853cc115e8fdbd045a2fb3e8ef5bc9d772d30a9fcdd35589825ea3195906005fa5fb011caa9b47905fb61cd0af1728775844ea13114154c493573
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exeFilesize
193KB
MD5aae048d4548eae05daba268bf93f927c
SHA1d7afb4ab6e3bc5573ef3ffafb38f33d25235b528
SHA256701e780449bd43a0542ff4b3d797bbfc440bc6eb92b35568f34efe1de020b6ca
SHA512de1dbe86c71936b8715193f87ef4a820c1462d1f7333e3f37db394a8c9ff0195f5db4262c3cb3738a7aea46a9bd7a0a91f24c03216e0deac5f2522adb779aa7b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exeFilesize
194KB
MD57e7c9b54ccfb49c9ff6d8d386bcb5fec
SHA1c00b01102ca44351c4490645ae46e027d40693ae
SHA256bd4cc9bbe90f7f9e5247af4ef20448cd023418ae83e9c8553a4b1731918f2f88
SHA5122416bbc1f9247e38949909e8904407539007a73ffe54d2f4ce8de1536e2072bd994c97fec2c6e21d98ee77fbd5863aeca662a15bcf31d1dfb6ea34a4e749eda9
-
C:\Users\Admin\AppData\Local\Temp\C9B8.tmpFilesize
55KB
MD57e37ab34ecdcc3e77e24522ddfd4852d
SHA138e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA25602ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA5121b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587
-
C:\Users\Admin\AppData\Local\Temp\file.vbsFilesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
C:\Users\Admin\AppData\Local\Temp\wckYMMcQ.batFilesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
C:\Users\Admin\Downloads\AAMk.exeFilesize
200KB
MD5953f56d4b50cf6c7721f255f9961df2e
SHA150fd4f07dc438fdb78de0bc53e69bfd285f0e676
SHA256d5ddc2461804caa54267e2ff3415316888d6f3825e7726b4da293b5bb43384b3
SHA512294f8409abb9f9af56ca1855c869e575328a87f830cdb7236fe61cf636ebaef1aca1df14f92a2bc1b0efec2f0d3bbc0ac3c583256fdb63fab1a2de21404fb158
-
C:\Users\Admin\Downloads\AEMS.exeFilesize
203KB
MD54d05fce5e388a721b1c0e6524fbebb9c
SHA18a08f8c956254117d1dfd9ccda46bfe497aa02c8
SHA2567b8efe65abc2cd6102ead816cbe9c50382d61aa8b1e00494f30e54a4747e4a03
SHA512e6bd934b84f7924931a96f21904563a856611b4879db85396cc6e8e891281140ebe64f91c4555369a2fb51e1200fe0eb237c3721074eb975c3103fbecf696a02
-
C:\Users\Admin\Downloads\AMEy.exeFilesize
585KB
MD595f957cfd6644514e0aa2d7fd2c38689
SHA13882a7d84ce84a7c383b847eb623dd0f7d998fa4
SHA256ef40b11617e279ca6a9d59294d1dd37fa69b75ffe20b9e25effdc254c4b73779
SHA512fbc744d27226dff3aeb1d7fddaa89b24bb664951bb0d340e02a2f38a64b5f8dfc3b4f8654f6b9e40914af3ed7f32220003acd4dcff6d6f45d4a7cf649bfb99be
-
C:\Users\Admin\Downloads\AcQm.exeFilesize
185KB
MD50aaf530ac281958abec6738f413770f4
SHA1e2a7549040e57eb0e2cea01b86b3aaef9217a48d
SHA256d1f65c5cc108d8b4f865de7171f07773377dbdc082d3f0cfa54e36ccf587bc1d
SHA5128027d43d54401a52731f6565b83a1036ddf149137d0d8f3552a71d1404289a40b148eb842d1b7f8a2fdccb2b26e2142746ba5d65748d30624787489788489260
-
C:\Users\Admin\Downloads\Aksm.exeFilesize
182KB
MD5253ead269ed0dd5fdb630a6e46114487
SHA160e17c32222f90a0659d90ce4b7322b94ac7ab5e
SHA25603ffcb030a2e9a41e26c1df58a919da6d0f89c00b7d41156ee436550e277ac0c
SHA512f92027d213a5812ddf3234931d6ed33c4837f0bad7e042585fb90142b318dc3a3776b07007c183ecf8af05561518d5cb033ef8267ee6f7648b62453a948576fe
-
C:\Users\Admin\Downloads\Askm.exeFilesize
637KB
MD58fd9b892584f42debccd376a3c790cdb
SHA1a3a1872b41d432c5eb869eb1dd93c6489439799e
SHA2569a9bd9aac84f0b48d67ada3aed2ba4cc48c9d006bcec64a36242d4dae5357e5e
SHA51292ea16c3cdb437c08b114bedd376da09c7b7666f576bb24545fdd3c46082d3cc00c9d214300bd29c48701424c6da8c256bce6413a4dc7c73a54c6cfc641d1b24
-
C:\Users\Admin\Downloads\AwcW.icoFilesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
C:\Users\Admin\Downloads\CAQS.exeFilesize
190KB
MD585ad1097d1c194f699cdd5a2bbe92e0c
SHA149e11edef9025e3b77eabf10ef707d352adc29c0
SHA25669232b9e9b6c0e0ad62007ddc0a1584c4bcf22966bc7f6055944cfed52b70695
SHA51265c30658d650aeac6ed78ee1383285bbcfeb831d1446af53260769419731df18de5ca0525f0563f737de209295d3759a1dda2bd14f638404d8a2539012ad53d3
-
C:\Users\Admin\Downloads\CEUK.exeFilesize
202KB
MD56db86768ffeb0fb4a8535b91d9de8081
SHA1b0f5411459027be4d44f44f8d629cd68413b9bc4
SHA2563729bc50bb3c1be6659a42e619f674dcf46f08b19135af9c8dabf81f77293b17
SHA512465c356716becae2f270f9302ae5ec3d2b26888222dcfeb628103868cc74a2a40f3e68a97e04114abce94c0f66f6e9528a1d1bb1a3f75c8d77dd9319f373d3a4
-
C:\Users\Admin\Downloads\CUAK.exeFilesize
195KB
MD522b440ef9a8a0fda892540227ec311a7
SHA197695f93f190d85f6a5b5cb3aa085abae3e848a0
SHA2568a466a5c658c6e78cbf88f9ee126714e20cf1e743165268f0319cb4c82df19a0
SHA51281b10494b8a9ded9950d13f98a4259baab63f84ef23f50abd21ce42796262d77924c7ad77cad0aaf6f47ccaba9f2eacd94f585d0518d0b03a44c85d9f6e352f7
-
C:\Users\Admin\Downloads\CksE.exeFilesize
647KB
MD51f107e12dc82ef711b9f5965c92c3849
SHA1310d408db4491e7c9f6c91e51546b0f56b74cf75
SHA2566b20add589579e2b820da1b8323e2911f11027e3db3a48345fe49f9391efb94e
SHA51248448e1ea787b5f118dc8835a8aa839ee58a8f43d2a7834514df50b7a7ef0bb87a0fd827868e9be6b26ec8e1fb37e8ba2fd9cf4618ebc504cd1a95f83c480faa
-
C:\Users\Admin\Downloads\Cwke.exeFilesize
194KB
MD57e2c35378f1d943cad6e37217b8552e0
SHA19430cee0212df881b409a36befd2b6bde10211fd
SHA2561dc4f03b2b3fa2bc48a8a4af0f0946b2389eaa0b0a942b022189ba15c2b607a9
SHA5123fd34787c1320d63c812432224f4f9c59f26721d49ed0cb47d6a18fef478bb95e72feb424c0735829d7f13ade20044fb128a604860deabb2186bdbdfbc27ec71
-
C:\Users\Admin\Downloads\GkwK.exeFilesize
203KB
MD5e18fd16cae05f7c0f96d3bcae3d35e20
SHA173c849e965b946ed44de477a07c2dcef38da036a
SHA2567a4734ee9725e9f2d68c90d55383d6eccac8cd82d726b5476aab1bacc0b18d20
SHA512db682e60ed390294e20a58dedcedb46a96c1d49d0ef9e7eefe31cf40b2c32b95d330469a16ceb321cfad7076be1d653bb450b59720b4081512b2e34236d6b5d6
-
C:\Users\Admin\Downloads\IEEm.exeFilesize
317KB
MD55288333b6ad1e60f5e99c74e6b65af79
SHA1e876062001cab92c7bc48d0204ae6c1289d2623c
SHA256d0c11465dc6d855c1e134a974c6687970c51ea649b5f5a998115437101a4185d
SHA512edab3c198bff9c8ddaa0391b230641c5eeb3ba4eedf4eeee9ff0946f78e886fbd9e1eeeda88574198a7046194e96689c80b1c0ade21bc7e2ab2e790949f88007
-
C:\Users\Admin\Downloads\IQIQ.exeFilesize
654KB
MD551f80a0ad960333b83bcdd3298e6d77e
SHA103171f63d65e7849402e339862e5e1f47a7a8cf9
SHA25668895c822ed38439ea3565766e4b407d4cdbbd9d4ddf9e588cec02bb00ea8807
SHA512ff8ce633ded30683d0cbe14368054d14964755251d0c1c32dec399b4937dabcc6d8d591de17860dd43c944f780d882135af0933bed95b484dfdbdbd5eddcde1f
-
C:\Users\Admin\Downloads\Iwgg.exeFilesize
703KB
MD553b6cb48f7daaeb5e8ebd432941d9016
SHA13945ef5930a730c07c80ce5c5332f2aed9427da4
SHA25629902bb0b2e9c38950471c93c0c5aaa8d30ca43726869b4fd62d32017eaf0129
SHA5126e2f4a4d7cfacf19ed1335e8d6b036b045df115224bab10665f3934f3c78b6421b61d4372a77bcd78a1f96767f53aa4ce6684a3de9aee000bec3b612572a62c2
-
C:\Users\Admin\Downloads\KMMQ.exeFilesize
211KB
MD5d882f647bebac7693fb73a5965ec07e0
SHA1455dc1fd3094aa911869c96e9a299b7d62128011
SHA25678ba306fdca319f7cbff20a8a8f11cecfa035ccf827df05796ee6e63c16e6935
SHA5127c9d4ede8397a002b5675966de49c633a406ae3e3cfd8d4dad55146aabebfb20b53fdc418066867333476ac045ad38ed290819450639efcaacf68bf10a8899e9
-
C:\Users\Admin\Downloads\KQsW.exeFilesize
225KB
MD5a6b26758d64f715450007da6f06feab6
SHA1e21134c9eb8d43d5411b6853105e4d525b94c169
SHA25643778a35e9e6594d6ab7ff2b61d12673ccd3b06702f05893bb880a32761cf38e
SHA512b0604c9370e1e25272de4314a67e0e1995ac336fb4d0dbc286408582325e87c08b9c156e1e9e610f018a943b32fe3c850403868ca27a3809b8d4831d1424a478
-
C:\Users\Admin\Downloads\KQsw.exeFilesize
185KB
MD54db78df6f7278e7cc7baba768c861d9b
SHA1ace53b4eb09d732e4c17ef67753a3a24ed332166
SHA2563b40877cc419267c977bb0cf0e59cc5f7dbd9e61971b1d26902139ecb280de04
SHA512873b15a6d1e09df7437d49a61dee67e7a649cc10dfcefc2242d9ee6ab2d20fb80f72d909e8c4a720b0e8e58ae4b7a38c9842f610d4e7c18e1b8f5024329935af
-
C:\Users\Admin\Downloads\Kocu.exeFilesize
1.2MB
MD53364a081e4fcd8fe60c3d72e692cc24c
SHA14068a16933b79c11a6e4062c14cabba46f82e609
SHA256cc3097487eca1dc6160286eb3dd96d92bb4d546f6dc9739c7a0e6dde21336942
SHA512a7c25f9ac36d31f02c0ab8022210c8e85f119855f299be7d162fc9575b9343a7dbdc0ab61cb40492f78db37cd1cd30a8a586a1ca7daae09b27469bf0ba74952e
-
C:\Users\Admin\Downloads\MIYe.exeFilesize
186KB
MD584a720652e60094669511e4f30b1ba3a
SHA1dddb2c0c0e88ff573511b55eef299969615d3751
SHA256dadbdbc728142fc808117933158496113cfd524ee208295a5321c58b081fe269
SHA512245104bbb1960566b45b202b3f3037f5f9430b60cbca2ce7f2d895694a9e0ff3eb0a43f21facf7eec9757cf83509048f0d6456eba01efd9f82104817b1109e8a
-
C:\Users\Admin\Downloads\MUoa.exeFilesize
200KB
MD50832a0f3d69ec64be76958794b2f6191
SHA17b4ecc79c8eeef665a589948a0d5aac857e07f73
SHA256e4f65676b65621f2f4c0ccbd642307bf7da80618106e169628f43b28c129148d
SHA512947a924da1194aa96eb4809205fca8ffbfbd0ae3b8bcdbfccc792e102b9aa2afafa1564e3d3a5ceb93d6e0c5cd63b141497a56c77cd56e42d18baaa90f0eca04
-
C:\Users\Admin\Downloads\MYMy.exeFilesize
193KB
MD5e177c427a7b8b8e023b82b473b6508a5
SHA132bae9c7df80438cd669a16eb23fa776d27fe22b
SHA2564b444337523178da78adfceeee1c9ebaf5ad28bb44eb2ea629d925486f16ddde
SHA5124ce86711f8c7b6ffc42eb8402921cef6f9d40dd445f6780af8fe68af4fb30d0723cadeb883a241c5dd458e3ada3f27ec80745380c4a8f045c151a2a8ee058933
-
C:\Users\Admin\Downloads\NotPetya.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\OUss.exeFilesize
410KB
MD53a009b442a418c8fb1e6801ee274acab
SHA1cfed9ed85dea8bb8ddc68ab873b68a881081fe21
SHA2568321650f935f73ece19e53ececafa72a607b19a73afebd0305b3e76ebd496fdc
SHA51245aed3460b6cc36b188cddd36deb3a0a7e42482ec2ce9d55638ca07881be2bec10efc23399e42106cd4d3381fa6c11d5d636ae6b218242aab9b4961e886e4131
-
C:\Users\Admin\Downloads\OYYc.exeFilesize
213KB
MD57ac38d72e8c255247bce62f716ed5436
SHA182b59602d0273a572bc551244c6a7e602afdc099
SHA256c3d1f513dae28663e9b7ab22ff637884985b36afe4d8fb4ac773b693ccab95ef
SHA5123670bc96dfb83a869bc4bd13ae931fac1e75169b82b18e6c5caef420bb8cb735c80593a102364b22b7fa7d42c1ea2a9b6eccca16fa19e7e7bbb2e2b3cda23bc4
-
C:\Users\Admin\Downloads\PolyRansomFilesize
25KB
MD52fc0e096bf2f094cca883de93802abb6
SHA1a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA25614695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA5127418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978
-
C:\Users\Admin\Downloads\PolyRansom.exe:Zone.IdentifierFilesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
C:\Users\Admin\Downloads\QAga.exeFilesize
205KB
MD5302b55c60816427697f104143b26f8aa
SHA1aeef629c18175cc4736415c99d9e931d1e66691e
SHA256cccd424266b548ad0ac693f13cf49f8a4ddb5619bebf6e822243d84345186ee7
SHA512c16ff6bf8851dc936f3a749b85aaf10c8591bfe96f8694e71ad1d3150db4411ac9866bc7dfdb866c8d14a46a673162bf269862ffed4cfd19523902ad46a80576
-
C:\Users\Admin\Downloads\QEsG.exeFilesize
189KB
MD53270c214169bcfba244887425be189c8
SHA16ac6691e6487f7679469e566376dc7fde853f8c2
SHA256d2c08839f513bad31dd90a83409a158d4d1ea94059ff77ae396b8be6ebff601d
SHA5124ca5e5f830d3a1494041fc000492a966014ef35fee268cc9cee9558153406405ebc0e8b1df4f6b2a3b7a614bce2eb919f47a6e19b0d2bdf991d6fbe5a6cdad37
-
C:\Users\Admin\Downloads\QQgC.exeFilesize
202KB
MD5b77d426975814b7bd50b09d6d0ef5e4a
SHA13c1193caf2c7fe595d88be28aab716d69cdffd27
SHA25630bd6abbb8fc3e995273c2c6ad9900326ead245d9fb4de8d1ee24e5b7e131e6b
SHA5123c79ad39c2a1716d9945ab8cd01b14937cda2721169b87a6ac9dc28d7b2913e3c058cf2c06025c2e05a67ce5d6e88f265e7a32c768e8908b91446eacb9379577
-
C:\Users\Admin\Downloads\QgcM.exeFilesize
194KB
MD5bdd8b4224ec62b0fe3b53b93789a7883
SHA111919ae3b1d830cb277175a01b8d7833e5edb1a8
SHA256188d1cfcd62c94c6f75d2cd2a2a27720fe4d24e5a6e0971b656b44857f381215
SHA512ccf7be72644984c7c45d6c63942f4d48b33247cdd2351f362dd2708a08243ba245b92dd1e932195472ecea7dbdfd878e716960139ac3ea3e21a51c34e53d2422
-
C:\Users\Admin\Downloads\SIIe.exeFilesize
756KB
MD534c93f5268fe24be437b9e69834c2fd5
SHA168de7c697a55072e1b12f3c11669d354ff5be91b
SHA256bbf98764f6ee1d4c1b3bd61cdadfac61bea9d160c0a0435889f22bbd640eaec7
SHA5124a69ad285009c86fa3762829de7331ba73692ba4897fe80aeeb6817f3bb8d1b00a3dbb7bc62b525ea7d0b348a05491121d99676abf18b835e1af309b5be9df4f
-
C:\Users\Admin\Downloads\SQsi.exeFilesize
6.2MB
MD50f195be436b146ec3593bacc65231c10
SHA1d3cf099227ea520b02114c670aea7f60c1bb3026
SHA256680fe0ccb40027917b05126b296b384e74619c678ed9b25adc35bfb272d9889e
SHA51218d07396cc5c255d26ce72480d32dca02e6876429c22b8073f3d082d8bd1daf7f70f4dc3cc32e1ba4fa31928aa8c9313ef0aec9b35f0cbd09170056229153c7f
-
C:\Users\Admin\Downloads\SgAW.exeFilesize
309KB
MD5a97910d52c4f8e1ff07b8bfe99024090
SHA102c2101fd07aba001b875a8efa72aaf1a5a7745b
SHA2568143706540a5c1eaead3e3ab32d45e5bf0f4e6367ea70ae6033f1f44e39e7c98
SHA5126ffcf2eaa1ed2c8e1eb24e0148227ce4b79e60e2d42ba360d97227a816713a0b588641fd75ff3263b5dffd91c2d6da5e27a582f1030f09d34a6071af667f300e
-
C:\Users\Admin\Downloads\SwgQ.exeFilesize
205KB
MD500f643e3cf153257869fa688db9bf4d8
SHA12f2242162ae8f4a6888332e20cc86de9fad5ad9d
SHA256409bf8ca352b9464f511bf6263d4992e69616c4364afb7f24afa33a769e71850
SHA512d3ae5889d545ba5a1be27b69465ee7b12994bf22c8a130571a368bfecdd974196cfa9a4bbb97976561ec317ceb45ab6b3b5e5ad9514c1e3613c29586b76f95f5
-
C:\Users\Admin\Downloads\SwsI.exeFilesize
204KB
MD5d0bbe87cdc846e46da1b7f9259297ae7
SHA16b0af82e47bd33077e599809de90b5d8d1eda711
SHA256a5f897d4b6590b736492c64ec8ddf54c9a2544c539cb98dfa2f0085ab440a3c5
SHA51292d3f46b7566ec329842ad60bb1f6fbeca47af7e506e6f2b09e03ed4f55eded274e8f829d6c82b25f4b4671f21c30d390b80b884ce1f9bde55fa2df6052afb31
-
C:\Users\Admin\Downloads\UAAA.exeFilesize
199KB
MD5c9ce0624cec65724a17a7e188693e71e
SHA1ee59c49bd3df0f827349da6dfda9a61b18356065
SHA256154e80531ba632bce0eefc586bd504c761558b9c60e276d22dd704892c8396e1
SHA51285867e3e8e5bd13f2168a40830eb93b45221866d5568b78496c412c44ce11bbd2529a5645f115ac08c53dedcc7207f4c8825f16a2c65a080a5e52d4b2dc3e5be
-
C:\Users\Admin\Downloads\UgwO.exeFilesize
182KB
MD510fb22938548867220bdc09d88c8c905
SHA12c1019a13c75ea75601383470b2713e5c79f8bdf
SHA256992e6ddfbd489f32a03b843d1d60cafc2cc61c5e0460bcee42f7b6e6ef4384b2
SHA5125c4c1c2300314f82287a1eb83c35c5d002a37dd7be3431ce514d8d9468a51125b1c42438926920f0d967cc0cf27440eabcbf71484ee4c0652e2bef1e1731d775
-
C:\Users\Admin\Downloads\UkQI.exeFilesize
197KB
MD5b4374dcdffb9632f741a39acc92a1afd
SHA1caa52affee910b25817664c159223c5379d443ab
SHA2565c30a5815e3d435be7e2a8d1e676fca598be41a8eef546a7e52afd0831383551
SHA512fb5005680377fb6afc846336db83ae950a81cf9f62a17c067efe7479af093f011b9aaf7f5e9b110b14c426954f492079bee2041539e9abf0b5cd4430e9a39312
-
C:\Users\Admin\Downloads\Unconfirmed 630903.crdownloadFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\Downloads\Unconfirmed 776309.crdownloadFilesize
390KB
MD55b7e6e352bacc93f7b80bc968b6ea493
SHA1e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA25663545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA5129d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
C:\Users\Admin\Downloads\Uoco.exeFilesize
195KB
MD5c027fada824d7cb825bb14e560bac475
SHA12b88795760e4f3431b8fbcbe52c3dab2cbe85af0
SHA2560870c0bf5fdfe129c0ad9a29532f5aa8daca6c50ce3bf6763d522755090e96f5
SHA512f74918fb6fddf05ba2b1d1ca0986c9d13697bb8b803f138f482b0f580e7cfbf7801006c088d58f3754ef1470ebd7d5662dbd785523fc651cd5e84cf8004b1dc4
-
C:\Users\Admin\Downloads\WEos.exeFilesize
192KB
MD59839b629d262542892c89bea0a012020
SHA19aab93cf0e45ef686a849fe50ced8f965eac3642
SHA256d83c7c9f9a0d7a719bb7ce345ce8ad1aeeaf871eaf30d0f7fe04927197468c39
SHA512902a5aa523357958efbabd10b972c9eef9abb8cde79d92d2b3b3080dac4442dbb467580fe424583561bcff2692f7788ea5cae8722db40e1a0c3e6017d68a9f75
-
C:\Users\Admin\Downloads\WIAw.exeFilesize
580KB
MD54b9e1045779131df3f2139b4650f0e16
SHA14e3297991b67527231b7a5ddad1fd40d5ecbd067
SHA256f1dbe331214eb081e19d7786392ba15db10d5a6044232edf90936aacaf7c10c0
SHA51297341214d71e68fda187650b71a0f3c5ff0c6c15abc82c8383424c93cdf0cd563f7863501485e12709a2795a9afb191d0680d16bd10828f918b34716f3f4712a
-
C:\Users\Admin\Downloads\WQwY.exeFilesize
197KB
MD5656517c7a241089ef3905ce5dca0fb65
SHA1972f6d67968ccd5e983a27c9f52a4cafeeb07fb2
SHA256b0c674ccee1d180026a9e589f13c34cbdb3fd4d5a1f42062e0039ceae06e0c84
SHA512d7e1c4aac106d952474963e0ef6a663fe3405f90db2a337f454a81db3eec3cdd8153d3493fdc6e74f1c25898a88d252e29ddf37d4fa5eb96f15266609944c062
-
C:\Users\Admin\Downloads\WcAI.exeFilesize
239KB
MD5fa432af422020f5749e5ec5b7590ce23
SHA18910c2cecf1e29a0bac227e3be87ec6657341200
SHA256a468e990d061e8f1c6a9557c8e7da97ed19c26ba348821ed6132bf5db77465dc
SHA51271c2817ba301b5b4a576fb4d2f3182b8f1e114734ca57bb84a68221a4b36b4189231452832e78f5de2f68e0ab9140341a51e2048859748811aedf2a5472ebea4
-
C:\Users\Admin\Downloads\WocC.exeFilesize
206KB
MD5ad7e61872a16e0fa87774d5cf111facb
SHA1abc98c96df211c6022cb9fde1fea6fb9ee73ae7d
SHA256a415083836744d4addddcab5d4f6d12beeea9971bcdffe743625ba88a0d9edb1
SHA5120da13a313aab9817e46e5dfa8795805006334f96a7f32df5f4a28f1a0784d0bb8c9f666968aa127bbf2404f350220f85b7012bc104508dcc6813adbed160c4e3
-
C:\Users\Admin\Downloads\WsEm.exeFilesize
219KB
MD5feeb74e7357156251e003832d5f283c1
SHA1578a2fee149e9fc68d035b321cda9ebc34c3729d
SHA2564f8d686866fea232b385077e8a7768e365faa3134bb0ec358a4c10dc245ab1b2
SHA512f1e6e470c034ef786e8efa0e0e1e76d8b7bee922d1d28fc64ce959bfb57aae587430b94caffc03ba03a99b70a7820e2683282c51bcfaa6a613d5f75e7bdf2a37
-
C:\Users\Admin\Downloads\YYok.exeFilesize
6.2MB
MD550257cff70deb704f2d13b3dfc817fc2
SHA149486f320a5166772a1b3c6c0aec6dc533212b8c
SHA2568f04fd17b6089f4149d0c87b2f7e96effb2e5921fb1ffb82c0fe38be44aa1571
SHA5123800cf9dea24d018521f9045b402fd620f16fa8be2051b43b901d5be8ddf5531dad3cdd6d80715ae93616991136d67f4d9415938416c8c4001135a1871cb08a1
-
C:\Users\Admin\Downloads\YkEo.exeFilesize
629KB
MD59ceefef0739732543989fd1d2a790e5f
SHA1f3b9206e39823c10ee37c4f1aa8a7c432f29d6ac
SHA256655033fe088a00a2f9abdf40c4f9ea596ec8738b2b2424c94d4b347e2109bd2b
SHA512a28c97398fbbb20d65900dfd726f51ee4b86c2d5890cd298e9379aeeb0cf2d3f20f34b2447b9be41091d24feb3c3f86ccf72f50166a049e0cd3427a413e9f4e1
-
C:\Users\Admin\Downloads\YsUK.exeFilesize
227KB
MD5787fc5b45e04facfa3f4e479798808a3
SHA13d6bb8dfed8b99fea97d3a6b951edbd886845294
SHA256029d5c2d4fca184f8d1eb3b9293c0ec0b0e22e9290a8ee92b44ebcd7093a3743
SHA512dd42cd35d722f7092ca3009d411dfadf65df02649aa964eb2ed1bd2115be691dfdcb08a31cbd76b818fa0c44e2c405cbbf24c0ba5c0df793cd6c960a794c51c8
-
C:\Users\Admin\Downloads\YskM.exeFilesize
199KB
MD57ca7b1dd9b95533f2cb9c085e4c0ca2e
SHA1516ca741d224abc1d13c1051d488032266481878
SHA256132fd8afbeec25988c06fcb0282c8af90a67f6e10925e4d7e9826d0f8741100a
SHA51264af59246305f4e3c6b4e3bb4b2cabcd978ce825c7537acac3b0bde80ca5c1782951c0a06c289600d4194ea0b6372999934e9412e98efce386474d706782a961
-
C:\Users\Admin\Downloads\cEsK.exeFilesize
188KB
MD517fc9735a2e2f9f0f446778663d0fd23
SHA1d7577634df85676622a4ecebe9267a439517cc7b
SHA25651b38738cf685685e3e3c5bc36eaa70ea162f8d7d5dca6c928ed823797c5c1b1
SHA512cd69d1bea5b2ed1a9ac3ed35bb11010fa36299f0a693005eb9e0bca83308734949fff9ecfa387e9024410ba06a27c3b752189b8c32e5cc1190183c53ee672723
-
C:\Users\Admin\Downloads\cUUQ.exeFilesize
915KB
MD512a1f777e6c677b78abf985102bfd3ab
SHA1df62cae6b2997d8790c7e045bfe06523b7d5d684
SHA2560c77731c407040bde27b36d410a0157ed0a6a57710dacc56abffb1feb90e7ac9
SHA51273c6e47d853b94e6ed3e1cfb38736bd7b2ae17250614f6c56f11c1b620d0b99d625942a686dd2201a8309528f788e7832d4d7200946b18dcf1cfc811cf4cdc18
-
C:\Users\Admin\Downloads\ccQK.exeFilesize
204KB
MD5f22be3824d4d71b0debde8570abf993d
SHA1e01502eb7da011c74a44d34f595440f0d49970ce
SHA256f62ad08ef343c285024b55ed658c4e7f983cb2a6fdc568fc58a162740a1371d3
SHA512e3fed57ea20d84aa5f7e383f7ae43124f67998f2e02c00c75b18ee4fa2a19ebd0c101e8acf81a4312bc09b5a36ec28bb62dc9c32c6e9660f38ca99088de54bfb
-
C:\Users\Admin\Downloads\cwUu.exeFilesize
190KB
MD542a191ccdda44e9dc9dcdf3addf82be8
SHA1317b78d5dbf07129f38573f0ab37fcbd945b1b5c
SHA25659d77abfdb1399e73fef01262ced125a390f30251e399b2f54be22c279228957
SHA512be487a01e362375dcf7cba91c55ad1ac90b2aeb6b614f91e81dec8181d149134d9395e783cfabd44602ad2c7055a4cac2ed2fcffdc5fe6e7ad3ebab53faf921a
-
C:\Users\Admin\Downloads\eUYw.exeFilesize
195KB
MD5aafae3991d15486e471343a71700d020
SHA1de4d6bad27ba50dc5126dece6c398527f198e420
SHA256b09afe8c3f964d9c93d3ff36d2d840fd14fcccc1ce3fc17b62f0dae497da1bdb
SHA5124c5ddff12fe1ca00234cdb35cace2fa3a85272ff77a4ca5c239f042b36995cf80d5fb975ad626d04c5bdab1152b4138318b2de2edbd762b9ebe3129a1fe0a6f0
-
C:\Users\Admin\Downloads\eYMc.icoFilesize
4KB
MD59af98ac11e0ef05c4c1b9f50e0764888
SHA10b15f3f188a4d2e6daec528802f291805fad3f58
SHA256c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA51235217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1
-
C:\Users\Admin\Downloads\egsk.icoFilesize
4KB
MD534460862c89281546603585eba87f992
SHA1c00e6558b839be12b54316e87116042454cccbd2
SHA256bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620
SHA512b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67
-
C:\Users\Admin\Downloads\ekcM.icoFilesize
4KB
MD51097d89b9f8ffe7c92f0574f4dfbda3d
SHA1b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa
SHA2560c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1
SHA512cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507
-
C:\Users\Admin\Downloads\ewoc.exeFilesize
191KB
MD5f5cf04af0e19bd6053dc6720494b8147
SHA1763859cb197f8bbd781ce737b2836e251f26e669
SHA25621e9ff17f574f30ad072fe9cc0c7daa7244b6e10aede4c24d5f52df69b3c7be0
SHA51218495fcc75fe3263a66696723c9f42bdcb960efbc7d1e3f05229cc6c126f61a4f3dcf6329f980c742fa4ac6e3ffaf1bfe64852899f72790845bb88d083860df0
-
C:\Users\Admin\Downloads\gEIC.exeFilesize
203KB
MD5e506ff4a7ee9395bd17bbc29f2d4d443
SHA1e90dbb4ccf77e8356d5b913ed0f5e56fc9f61e22
SHA25677ac7010e9d8d1eb1176cac564866b4c69a3e6ad7f1c4811224c94267827e5cd
SHA512516f7d874b4191b61fc0cf889b23f563e80d45ab00f9b3a52770aad13db0799e5ee05342a6c67edb09188fbd2b7df04a40d3f10d103bb0af22b1ac0e2ca42df7
-
C:\Users\Admin\Downloads\gIYC.exeFilesize
1.7MB
MD5a5f9519da0fbc41f3890747cef513292
SHA18d0c562f0b6ada6e5d2cc76f492fe23f54c6fab6
SHA256f08ac76a0d0791ca4814d4d588028ee4fe95e275647087c9037ac2488286e231
SHA5123bfcfc4d914414a96bbda2db7143cc8c8bad1b17d7c3112a96aa29cedbedb00267094fd1447b1e5e155b0f31e6451ce41528169b157b48dcc9e977d313c6aaa8
-
C:\Users\Admin\Downloads\gQcm.exeFilesize
309KB
MD5f944ea5d48c43944742cb36c0338c112
SHA101ae48225ad568a177b534a1a29428339b4f5c69
SHA2564c6b416d4736ad1a0268aee267bd52423a50070306fe453b77c6b279de4017bc
SHA5126c128c36eed222bb3b58103e6a020426d2e956c904e35b408a5938eb7d1e9932f33ed6b05e7178df2f66ff299e6e129c9628d58d9544921e58cef9f2445a15fd
-
C:\Users\Admin\Downloads\gUwe.exeFilesize
975KB
MD5b6e85efcf0dd66dd699bd793a397decc
SHA1db89546bd051f9131549fec5412107ee2cf94cfd
SHA256361157d0ccd5cd12bd2ac60fa14ed9f94ee4544d3a37e1872c615784d99a6e4a
SHA5126a98f2ab3615b929b7da6b500c7d1b0f63859956f45c297dedaffaa27256813e9d79be3777123240c480307ebb8608d7c674a266fd230d5e2185a2a7eb72ccc7
-
C:\Users\Admin\Downloads\ggUC.exeFilesize
814KB
MD5269eabfc9bd1ead8f19fbd22d88ba9b1
SHA1735e09dd28bb25498dd29d006cf1a5401be6aca5
SHA2563a7fc6c1365a3f8db9faa703c863c4fdf75d0940b477847a7440c7f5b6aa851f
SHA512d5f2351c30f42a027541b005dbb942398071c598bcd69bd1236ca0e2a8cdf2319fa71d94884f30d5eeab0cef01a5af8020e32f2e5c1d2be9a070dc0b482a790d
-
C:\Users\Admin\Downloads\ggkM.exeFilesize
192KB
MD52f70d8365ab4a4ea67c7114340f98ee5
SHA1285fe9aefe7cc12d65d85f748c744d5c05cd9422
SHA2563866aad34133d10e1a854693edae35964fa0f30425b235573b0fb5cb4e0e2cb2
SHA512ee36a8938384d7cbde92945bf16155c19833564bf49aa0aa2a34a7ef537f3b064c3e75b1429839631c181e26baa626002688b0d612fc2f4e2a00ea2b94cfbc65
-
C:\Users\Admin\Downloads\gkwK.exeFilesize
206KB
MD50624a92ea3ab0941bc0d8e32782f0095
SHA1fedf87f429a1808b4740d6d4ad51de0c6982b2b5
SHA2560695307edda98c533bd9c694999b12c62f40a1187ed57a4d48d83f79f1dc1799
SHA512e8108e0216c496c4381a508583ec0685aba14ee53ef176a075ca51c985d2dc523bc7051e13094bc573cc6b6d40e5669541ad2e0d0c7a41a7fbe318a6bc384217
-
C:\Users\Admin\Downloads\gwcM.exeFilesize
205KB
MD582937b05c626d3bbf47357803d2561e2
SHA1b1a000767ce533c038cd364e5791603657bfa056
SHA256343c5dcd9fbdbfb7006d0686a1e7f58652d58da1f365386f27a118a7f997bc49
SHA51230c107239263924aae2e1965d355768a1baaf6ce097b0ff35d99625e54bb9110cbaf37b68a780f03539ba7781ed924cdb6e88f060e891eef2d794f1fd1dea759
-
C:\Users\Admin\Downloads\iEoY.exeFilesize
192KB
MD5c48d7c896dab641530073af27ce9d849
SHA103d230a37db4f2c227a87a1b2e425d96b46014b1
SHA256bfb9e15ea53ed1500deae9e8fde3905a73b0908f957e6dccb12a4ff53f7d3d49
SHA512ac3644b22b2dd1fb3a76da2ded22f4d1862caa6e347460506de5309acc2f2f1074004e2121432f3204d27a713d9cc4ea361a3b13c2471305c779115a7048a9dd
-
C:\Users\Admin\Downloads\iQMU.exeFilesize
224KB
MD57f5ac095024c3a7adf55589ec4e2a87c
SHA1b47c83cd719f945d21ccb2316206653c490fe4c5
SHA2566d538b65432d75bbf233908c6f64c47922e9cb3b9401134d0080fe945ff23ddc
SHA512b632ec5c9649150c19b16c17863716d7cd66c03c60171380095045ef63202ad7fad33bf5f2dd363eab327b5488accb0b41657ed522af9922241cd149ce7a0c67
-
C:\Users\Admin\Downloads\iUUK.exeFilesize
222KB
MD59c87f43a0e02d619f2f066947d03877f
SHA1b5d5a58b32ac33760b3d703004d1a793a1a29b5a
SHA25611b012a7cd25715c4d0f1f1bc8d2af6ae7af78a871b0b10c1850a153d8b0d525
SHA512755e04113682725396b664f4d39c4ee0d52c1894519281936302d52cf47850d102609094813fa8dfcde3caec6ede39c2ac6903c9bad8c1b4aeb9ac92586799f4
-
C:\Users\Admin\Downloads\icsM.exeFilesize
270KB
MD5209cdd2f9ccbc1b0023c6fcda3c9a4fb
SHA1cbe1bb976ba251565bf819c3796d87e085f31836
SHA256f39d060376b6aecde86a9c1e3003446f85166d72c225dfb37573f21596f32152
SHA512fa5aeefec10ee56c5a0bf6f9e0c76075abe2965d55f0c03036d282305b6676fe1a0a5a9106a8b7b174304749f2957e8becfd6112237e4f8439087f8f15cab8b4
-
C:\Users\Admin\Downloads\igAu.exeFilesize
223KB
MD56433a03c8488fb6c584259e2ab6cae95
SHA1ec07a67b5ee157ea0bf668ffb37f3ad4bd93f417
SHA256774b95f7bd53c8c4d1f035f23abaf105e6258f25e577dca3b9f8a47c5f11dc38
SHA512f55d01811678669bd27e574abb2b85a9adf366880e2d334c959794947ad07cbafefa91cfa01a21456be2d907c09ea87422763aa875c61045b62e7d806db0cb4e
-
C:\Users\Admin\Downloads\igci.exeFilesize
195KB
MD52479f9f27383111f6e8ed32a450fc5d2
SHA1b55897605d813d9e59b06417a89600a0f150cd48
SHA256131e7136ae1219a6dac643e3071b1a0293024590152aebbb1cc9eb6ce7df362a
SHA51241b2601bdc73431df992b8eed0cab7a707b12621d7b902dfc13feb5fc12cee7be1fdcff759930903d69e09a9f1ed611ec295d690141efcdd00d34ebd4d1407ea
-
C:\Users\Admin\Downloads\iggo.exeFilesize
188KB
MD55dbc51bcd98ec00913553370d833dfab
SHA1bfd136d0705ba4630308938dfde7d12105017c0f
SHA256c73944871121cd9c0de605afb97c42589fc02861d0a3abb65fe85378101f4375
SHA5122e3695e5dcbb6251c26fd0ddf2555548ee3800b26fdf0453a8252c0f996c7a27061295e59754b9ad741509208c815c790a0778fb0739a63fa2b92e1bc75a691f
-
C:\Users\Admin\Downloads\iwIu.exeFilesize
188KB
MD53b447431242f112beb9f3eaf1c1770b9
SHA14283d5ac10e7a575ae89fc41cd9b49875c200a78
SHA2564171c6502811a5e812cf3e2589a33248d49d705c33bf37258035a2dcf53e26db
SHA512261924de5ebbbddef9a9c6b354d56865563fd9b5532faf75ae5c15b6a33eeff626b2d99b7b3be8c0c4f021d48d65577e0cf22b205e1ded1dacc135d236c68208
-
C:\Users\Admin\Downloads\kAEs.exeFilesize
193KB
MD52c6356d47c657da4bdeb77f5c705d525
SHA1fbfc8d4f5fdb7d452e59e999d1ca5ee5113cd87b
SHA2567dd4a1947599740848ac345bfe2e26e22a08c90e93e770f0019487f2602f784c
SHA5124e9d648261c4c39cb42798ff57d6300ba583290b061bec23b8467b2846db38bd80b8f05b7e9461fa5bc41ddf3805acb198ed9f47cd6b8dfb68bfa00fd4b8e13c
-
C:\Users\Admin\Downloads\kMwU.exeFilesize
186KB
MD5f30a7fc840312b5d61fd347c23ace71c
SHA19e8cdec69416a380fdfea047e11404baa636834e
SHA2565e367b60ad939270ace605761bc5c0a70e56a824f9e2447a74091283209d6ec5
SHA51217ef48e24202cc241200227b650581350f1714309d2b3f1e77dc907e0471828344f308b6f147b62513f4e8cb35c09c7057ce93078d406c404b4b0a2892a55deb
-
C:\Users\Admin\Downloads\koEk.exeFilesize
200KB
MD59d33f06be2573267d2d6239acbecab40
SHA13c0294359882677443758811f5af25604a2d55ef
SHA2565a470e687364210688b7aa1e8c22a13303a43ff2b610305fc96285ce6325706d
SHA512d722cd94a699d08b676d624815592bb09f4b68ab05e9b7824f28e9acdb1175098a8fa2ec6acfecda0119c79937b44ecbaa000c1439868ea16d91d2008b8a491c
-
C:\Users\Admin\Downloads\ksoi.exeFilesize
185KB
MD520e1dc28565e4f27d79aed752e77e1fc
SHA1e351365fbfd5ae95ecb4ee88cf3906311934b740
SHA2569a56c9f5391d2a4d127ccaea74ef514e752c87d40464ebb494b194f9b98d1cf7
SHA51290362d3bad3f8f2f663d64070246a16f63c5ac4204463a6ea84bed580adf87f6dd977f75858d0ef81a65b88e067fd9ec6b47801b16820c0ed8b3fd7cf8be854d
-
C:\Users\Admin\Downloads\oMkq.exeFilesize
197KB
MD541be7f11f6567469eea00cdadf4c0154
SHA197a14fc4766f592359f81461620e44721408ce27
SHA25614006b6ab3d5d3d32f60b5e67ce6cebd23d06e6558155a1b1714a8de9c04dc9a
SHA512e43ed1f3f44a6cadf5a5ec004fe92a20d28ee9fda52b14c0bb656a32a434188183bdf08ce30880b959ddc7fd3cc4e131b9a22425cff2fe3d770f66aaf264c31c
-
C:\Users\Admin\Downloads\qAEy.exeFilesize
193KB
MD59cdbe8f26cb2d6a1eb26a99c70559ce4
SHA1c0820aafb45d15c57d7e357bc17147dc0bf09b78
SHA256eabb8bd0391f866cf071db2c05f6a010600533239f7f7f198f471a46359a469f
SHA512c9fd027f51b2d77389240732ae9353d477624df8c8cd31c2d4d9b6d28f1b775f05186410983754b96dfb847d65f6fab0c0d9f86b6741fdb05f671aaf270af3a5
-
C:\Users\Admin\Downloads\qQok.exeFilesize
806KB
MD53c8ebb0ba17580c21f7867b1f01b6ebf
SHA16afb677806b860c8bffc43703c1b17f032596320
SHA256db7a3628c4cfc7cd12903d96e5fb65c934cb6cfaf8f958e6019166f436905f37
SHA5122171cdb43f8cb5dfdc2e1be8cd3687a8fa612293938d0028b759ffcfa96ab70667c611fde9e469fac6130a4559a49e4a447a4bf59cb0cb3dd2c3723a1623ab21
-
C:\Users\Admin\Downloads\qYAu.exeFilesize
642KB
MD5318a95c420debead0283a02fac4e5551
SHA104b34270bc095b8c5618a39715e290093bfd6878
SHA2567ae7c0c2defa664be253d5e6950cab4d9e69efec3e2ae1f4fc8b4bf536a8f579
SHA512cf8a777d0c67d07eec13ce8cd7a7a13cdd3dc1923ddc2d3f6aadb32c28556afcc2c22ca5d9b1e0788501af54a9829ef98f02af1d9c9428a526cbbd594348a991
-
C:\Users\Admin\Downloads\qgoc.exeFilesize
201KB
MD531e15e54322714a5f6a28e45318cfc98
SHA1cffc1007c60206ac8b09c05378b99cfc4e85b0a3
SHA256db59e3700c057b16f1e42cde21282c67de7bfa6016c14b0784b6d572f34bc32a
SHA51247fb058dccf99d6db0a62f93283b5d9d02bc2e0bbe0eb586b3dfe844de373c8949dec9403888d6a6337063d251aed721a786b4d3e82f1efc8d90c0558d35b238
-
C:\Users\Admin\Downloads\qgwe.exeFilesize
835KB
MD57f4aa682553022f7c5a946141a975266
SHA1cef241a962033ec2a1cd06dc6190c7b217222794
SHA256fc8b40ac30cac3c9e4f243b2650224eda909ace1bb2d7f8e17fc2e8430b85a47
SHA51239df2fca9eb50f7a33389eaf2d0864633cac0217b33bdb0f5ccfeac3b5cfbd952b16a6ca101fa7980c5a7699c91b0f930d8a15a2fdd443c167d745321d534cca
-
C:\Users\Admin\Downloads\sMoe.exeFilesize
197KB
MD58c29a644d3f352894fb9aed8b58021ed
SHA1226b7135c1bacd2ef725a4cc5a5f8c7032a22a7e
SHA2564f9f58a8c909bb4353883e85cb3b156fc2e5db08c832555a87ff29b6a6bfd55a
SHA51201ad62b4dcb4be2d109658d346c390363c65a1076a07911bbdc8733b65c32c32afc5629187f3b4b328e469267a21431071c7a982e021dd6d71330c6686bf662d
-
C:\Users\Admin\Downloads\sQYm.exeFilesize
852KB
MD5f03cb6a5cb2b727c3a92529a94c9ba3c
SHA1a43d40e63cdfb3069397d1b3ddfcae6a938e5b9e
SHA2562cc619e08f8f717736781d884256175d1293e6904239cceefe26faebe3b4f5b3
SHA5127e1f3ec7c741a773f2982c6b9870eb4999cbd7b60614e83d96db3ea58287be6f7b112a179de5af47f9287b4bf1f626ffa67a7840d718045e9bf46a4bc1701614
-
C:\Users\Admin\Downloads\sUAi.exeFilesize
203KB
MD5e28a8f4cd56496c60f1fb9875bba6d29
SHA1c28385a0028b17bbe4997e944ee2d263f8f5805f
SHA2562c3e5a958c18687fe4dc46cdc92b31f8400bd71e3f137900989bc63593ab808e
SHA512ca5281693be180cd07963501577a2ea41b50f4a8d12bcef34aa6fdf1cf6826cdef9e56f41101ccf697fd9ab5e5e4503538b0a219503740c5946a40c53e5a362a
-
C:\Users\Admin\Downloads\sgEc.exeFilesize
189KB
MD5adf772eec60e21324bcb83facd75eea7
SHA1b59a6679cc5498fcf0d03b1c844bd2b89c299044
SHA25628d7779fd9ab771d380a51dd2c0d5e32bacd20d0794008b4d6a67389f2c2ca44
SHA512f28364b9827a97059de8b594669b42f443853ac314c09c78686dc6c15e21932badc427b6aa2260b6a0a58c9f12a17e9367b630ee8b0f624d67d508ceb048659e
-
C:\Users\Admin\Downloads\skIi.exeFilesize
632KB
MD5dfdcb713bbe39469d91884e05870171a
SHA148d4a892997c86fd4217c47c353feb26a6bc6be0
SHA256408360074edf0388742cde60f89659ad7333835a95cad217a3520b1aed0c4e64
SHA51276b775e41d3d252449ed2af78672735efbb0bc7d67b6019604bd4c973e808e3b6ec545335ee606c89771b1dbf47f710bf9c8e16029ef06003a69922405e908bd
-
C:\Users\Admin\Downloads\soUs.exeFilesize
195KB
MD53089d8b0b83b98541eff0a6c08603fc6
SHA14abab57478d6538cfa36ad275d6638bf024ae73e
SHA25672c73ecc072d04adde2448924d233f947bc72bcbf9991bdeaa4f9c2769fb0125
SHA51201c4850ab9a579e9a5978524de36926857365668dcff92972adc4a694e9b415653693485838eef58d7833981e53bb10e5f72796ddc3b76f953e02d7a1a928d7d
-
C:\Users\Admin\Downloads\sosW.exeFilesize
6.2MB
MD5764797e0ac436e064c4e7d194c994092
SHA142c034a7a78d35f9a8a7f06a88ea5a72c6794dab
SHA256e20f35aec9c01a4399672d1d65ddc21566b10bf1e55fa0ef558418952c321010
SHA512a99de35fb5860006bfa7f10f5dda73fab2338f62aadef9d54c363269c1026faf89793651c5922e1d7b835fdc385a2b69a5534a89937904a4b2824f968be80681
-
C:\Users\Admin\Downloads\swcS.exeFilesize
221KB
MD5696a92a8d3e5f784fda9d681dfeaa0fb
SHA1774b4e93407cbefb21d2472f073b0193fc3cbe45
SHA256ba570a21eba1dc29d12583852000972d11858a3c7b2579ca8a5b8416483fe36e
SHA512df1c01c0f187b3ccd2b9b32db1ff675a6805f708272b2ff3a3e0a0f1ffbabfa6593e0c7a364a255941b5f2d23854255d524c61149b2eac0599e16cf2a7940280
-
C:\Users\Admin\Downloads\uEAa.exeFilesize
801KB
MD5c6f475863d79e7903b5cba7a246c1f81
SHA19c377a9d876e9a9250058a618da0f747011dc365
SHA25667187bc82f21af16cf9bbcc011256cb4f0decbf54e9e0cf8e1b21bfd057b4cb4
SHA512b4a7d514098ff7fcce290fbe396300576abbeeb785ba4c6ce7a60643d1b071ad8744ac3a87b915a0dc9c9494012876bb536979fa34e4aa0125511e482dfd8c9c
-
C:\Users\Admin\Downloads\uEYw.exeFilesize
201KB
MD51c3261aad1fa1741769e2bd94bdc3092
SHA1ed3366483454d66d8fe9f91de6038a70ca97ddf9
SHA25639cf907935ff748c492f5e6f2269f102015123c3429ada9b5771c11c9da078a9
SHA5128928fe08762bcd77ad58b0f104a7aa38356b60dc774ca1148ef0e9b4dc1a7b968c835110f51fa469957fa7d1ff918c0746b72ebe84107616e15edfa4042323b2
-
C:\Users\Admin\Downloads\uYko.exeFilesize
200KB
MD50ae948c2ed743f18f7622b2a6438e378
SHA1a8b4d9038225eb00a7ee30b85be7301a18310e22
SHA256bae4aa5a20f5588ee61fdf43166afecbde9cb65298bcd27fa2de85734a85e38b
SHA5121d129d3381edc9c8b0b13f072534c9a53f549a158ac8a5b35906c5dfdfac771b5a1726a38d74dbcfda585251eb7b49a957fde29134d654c61e9269a5f557d9a1
-
C:\Users\Admin\Downloads\ucku.exeFilesize
657KB
MD5820b222f1245c5b26558f267b3253bbe
SHA13b3a2c8c2c0db49ecccaf7e69730678498284ba7
SHA256c35ee773e59288e3256c23a98564994b8e227839a616cac325e8e8117d5dc990
SHA51292bb20921b49c1e606df7c20f8f0f4bae89aa8a1de633c71972e45de6a5613ed2c69df1074f7da8c677d0ad96ff1d1167d850758d5367c3216d6c3839ae5e80e
-
C:\Users\Admin\Downloads\ucoa.exeFilesize
424KB
MD5f404061f324ee7228a7b79ea29080e18
SHA1d20c9cbcd3cee3780892107c5a87802972471b2c
SHA25600ddb053089f10c7c66c629c7faeda450e9a4657a1b592ee8a8dfdb1d7e09d56
SHA512f36a34070ee92027d07672efc4b0a31051ebe6e883db23fc859bed1c534a0c046547ac9e3f8d4ca0619f8054d658fcf33d3ec927ad82b88166177daef7fa280f
-
C:\Users\Admin\Downloads\ukce.exeFilesize
565KB
MD522f745f3275261884d9512a4114ca3f1
SHA1f9b40d9e1c15537e7c08a1a13367c89a732d8e66
SHA256c87a0d8dc6bb78abe850f48013e4c788285ade38cfabee145af909772c356ed7
SHA5120492f86d38b4f9770c7cb6d4e5dedd39006bc455d07d91eaaf5c198896f01e62b92ad85b48ef778108b4b3a5c7cb330d067ed7052f262f8b8110e6cad11bb0dd
-
C:\Users\Admin\Downloads\usIc.exeFilesize
776KB
MD5fdf09580611babdec8053a6273c47acd
SHA158298851886811c705aafe8156ee816581689199
SHA256902345ff8683eb4e78e7b306fdee881e45ed2f94fd0dda9d2fec109c09c74b02
SHA512c3b0ee336d9db1f40b741400511a1a4f2ab23e3366ce4157dfe0bf1fab6b4823d42424fcfab1d395b7175b9b5705633f9b32b093c7371457c25c5f28c1d11921
-
C:\Users\Admin\Downloads\wQsK.exeFilesize
194KB
MD59cae79cb72bd8d286db93c182c1f3317
SHA1188e41a711f9730ef34f8b8dc4cb9a590c8f4334
SHA25607bbc96515a1fd09a46da2849a7ecafe11367090c68e8ff1197436507c5285b6
SHA5121d787387a4234d3a0f89b762b7109f36f9d582080c533f052b64105ea077960f7e8108527549ebe2d0c187aec0bfcd9f784a36663e275737e732fa7d77dc9095
-
C:\Users\Admin\Downloads\woUe.exeFilesize
205KB
MD527dc6314ddb95ce15115d9abe15ddbbc
SHA1de38d23e6e7d8783fc151a17d6a9abe63a4634d6
SHA256041bc5fa007d76db0e1825544fdb71a481e27a807fb19eaae61a1e5d4c2fa6e9
SHA512ded8957c29709353767cdb6c2f3a54372d7d367e6d141df3182e36922c5e985cd9721f1f471eae9ddc383ceae570e39a17c6da87418fbe5ef5f2b63dc32f1fde
-
C:\Users\Admin\Downloads\wwkI.exeFilesize
195KB
MD57e041d38554cc61c2a4a6286dbe82b3f
SHA12afb8e5da191223bdf90028c09b4ae15c9f79ac0
SHA2568053bb1ed389d4a278771d772f2d6e5240206702d6329c40fc4a9682ac389ff0
SHA5129af2a48a7783bf9ce5c10848f91cdaaa1e89c8e8e12b877219edd301b5366936e210dc34e199a1747950943fae7161766d9119fe1f176a1f9b9d9650703069ce
-
C:\Users\Admin\Downloads\wwkU.exeFilesize
1.0MB
MD5a7a9a3e39054daf317b5a03895efc2ba
SHA17c7be32dd1a34777b1553a12768581ca45e36e1b
SHA256a424b05bb740b6a2c035b7a8e390a1ef024d853b940caa69640133755c38aedc
SHA5125056540d18ba7decff93c2cbf28d9528c71157e520e5685e59d1c008538bd279ceefbca3f169ca7aa1b4b0b40cf66c1f328b5b82c73077f7fc50b01decdc2072
-
C:\Users\Admin\Downloads\yAcg.exeFilesize
198KB
MD5a471ac95a8b6d8e9e8170f7756be5d09
SHA166302dcf6a5128ea6b8233782b59e3e7ede13351
SHA256eb597d32a54cd8610b76e70687e00bc3d5d16499f5b6784d448b5ea7192ae3c6
SHA51286dec7e053979e200ca7421389b6e6b8c3b67664383ef6b3323bf563cf6146b9254baff7c6d0569c8db8ee136f5705a1ccd1c1c67b5b189a40ec9b5c5d3ceacd
-
C:\Users\Admin\Downloads\yAgI.exeFilesize
209KB
MD55b193ce2beb6ac5e29a44c3d7234f8b2
SHA163adc905e42c542a22e1c6efe6871b8bebe2f32d
SHA2563bb42b470d48c68b76978056011f1a507bbd8e84e50cf58395614142bf3e401d
SHA512b4b53eed30d09765d351b1f4c20fa8894ea5d74f4856d0a776a349b41cbb950208899bb78f014651fbe5e0c0c9d5ae97b481aaccdee4c6a5c077d4969f60d125
-
C:\Users\Admin\Downloads\yUge.exeFilesize
314KB
MD54d23b709b075a43cf59a9d76fbeda867
SHA1ce3d5857938e0abf183708c9e64552470ac9dee7
SHA2563a5ea54d9156632119664b6e548e8687ef1ffbf9f1c953e18675587b94af0838
SHA51237b407562a85cb64d7f3d7a336a45f121bcd917adb5376b025fbdcfcb59b2025995efb17532723775b644cfef1941cf3bbf440c16a8fce9a0424d975276bcd7e
-
C:\Users\Admin\Downloads\yYwG.exeFilesize
794KB
MD53e55718304bd4abb101b7acfb8bd88e2
SHA1a59ee1156451a478886f03846155bc0f16086634
SHA2569312d2490425293c5d920ff5b13f3193add2c67c3d3b7066fdaa8180ab21f34b
SHA5126e1b19ca7f61f0de0a711b5ca799528066620f8d8625081bfa06d5d441bb60bef856d98684e1a3b59b4afb201d5ddec49428ee83c816747ffa3555ae882aaead
-
C:\Users\Admin\hYMEAsUA\UckEskUQ.exeFilesize
188KB
MD5a930f4b276cf273ce2dfc078c8d778d4
SHA188de2f7d84705c9ff9d63e74b5046d368264c963
SHA256b96136d0938393a55aa98c6f566404babaa82835e56811960facc7ffe045be28
SHA512c9205f3ac25188b231c7812d74bb1389218de7db159a50ec6d6c88a397c109899877eedd6e211dc9b04b401c3d9b8e301c0212aed774763d1111df99112091ec
-
C:\Windows\perfc.datFilesize
353KB
MD571b6a493388e7d0b40c83ce903bc6b04
SHA134f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
\??\pipe\LOCAL\crashpad_2096_YNCNGQBAZNEGGYZBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/240-554-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/240-540-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/392-902-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/460-421-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/568-958-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/568-949-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/756-645-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/772-938-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/772-927-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/776-378-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/788-861-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/820-599-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/820-608-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1008-462-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1008-449-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1036-448-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1036-433-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1056-474-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1056-459-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1156-729-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1156-740-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1168-879-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1204-600-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1204-591-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1348-541-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1348-531-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1488-590-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1488-580-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1624-579-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1704-841-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1728-392-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1728-373-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1804-852-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1804-842-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2164-968-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2164-957-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2224-983-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2368-732-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2372-808-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2372-475-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2372-795-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2372-489-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2476-637-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2476-626-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2624-828-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2624-816-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2664-663-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2664-683-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2688-420-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2688-436-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2828-502-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2828-939-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2828-947-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2828-511-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2972-986-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2972-973-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3012-817-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3032-388-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3044-857-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3044-871-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3128-703-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3128-713-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3468-666-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3516-523-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3516-532-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3732-695-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3732-684-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3784-619-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3784-629-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3832-752-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3892-704-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3892-694-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3988-789-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3988-778-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4148-655-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4200-512-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4200-522-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4272-769-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4272-781-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4296-977-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4332-919-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4336-620-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4336-609-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4584-751-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4584-772-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4676-553-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4676-562-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4768-500-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4840-798-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4864-408-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4864-394-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4864-928-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4872-227-0x0000000002320000-0x000000000237E000-memory.dmpFilesize
376KB
-
memory/4872-238-0x0000000002320000-0x000000000237E000-memory.dmpFilesize
376KB
-
memory/4872-225-0x0000000002320000-0x000000000237E000-memory.dmpFilesize
376KB
-
memory/4872-224-0x0000000002320000-0x000000000237E000-memory.dmpFilesize
376KB
-
memory/4872-216-0x0000000002320000-0x000000000237E000-memory.dmpFilesize
376KB
-
memory/4984-710-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4984-722-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5000-911-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5048-890-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB