infinitylock | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n[.]exe

Resubmissions

07-05-2024 16:28

240507-tyx6ssha59 10

07-05-2024 16:24

240507-twmx2sed5t 10

Analysis

max time kernel
224s
max time network
224s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
07-05-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe

Score

10^/10

infinitylock mimikatz bootkit evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C9B8.tmp	mimikatz

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

NotPetya.exeC9B8.tmpPolyRansom.exeUckEskUQ.exePKEcQwIw.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exe

pid	process
2996	NotPetya.exe
3764	C9B8.tmp
1728	PolyRansom.exe
776	UckEskUQ.exe
3032	PKEcQwIw.exe
4864	PolyRansom.exe
460	PolyRansom.exe
2688	PolyRansom.exe
1036	PolyRansom.exe
1008	PolyRansom.exe
1056	PolyRansom.exe
2372	PolyRansom.exe
4768	PolyRansom.exe
2828	PolyRansom.exe
4200	PolyRansom.exe
3516	PolyRansom.exe
1348	PolyRansom.exe
240	PolyRansom.exe
4676	PolyRansom.exe
1624	PolyRansom.exe
1488	PolyRansom.exe
1204	PolyRansom.exe
820	PolyRansom.exe
4336	PolyRansom.exe
3784	PolyRansom.exe
2476	PolyRansom.exe
756	PolyRansom.exe
4148	PolyRansom.exe
3468	PolyRansom.exe
2664	PolyRansom.exe
3732	PolyRansom.exe
3892	PolyRansom.exe
3128	PolyRansom.exe
4984	PolyRansom.exe
2368	PolyRansom.exe
1156	PolyRansom.exe
3832	PolyRansom.exe
4584	PolyRansom.exe
4272	PolyRansom.exe
3988	PolyRansom.exe
4840	PolyRansom.exe
2372	PolyRansom.exe
3012	PolyRansom.exe
2624	PolyRansom.exe
1704	PolyRansom.exe
1804	PolyRansom.exe
788	PolyRansom.exe
3044	PolyRansom.exe
1168	PolyRansom.exe
5048	PolyRansom.exe
392	PolyRansom.exe
5000	PolyRansom.exe
4332	PolyRansom.exe
4864	PolyRansom.exe
772	PolyRansom.exe
2828	PolyRansom.exe
568	PolyRansom.exe
2164	PolyRansom.exe
4296	PolyRansom.exe
2972	PolyRansom.exe
2224	PolyRansom.exe
3832	PolyRansom.exe
540	PolyRansom.exe
4612	PolyRansom.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4872 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4872	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PolyRansom.exeUckEskUQ.exePKEcQwIw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\UckEskUQ.exe = "C:\\Users\\Admin\\hYMEAsUA\\UckEskUQ.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PKEcQwIw.exe = "C:\\ProgramData\\DmUwMkwo\\PKEcQwIw.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Run\UckEskUQ.exe = "C:\\Users\\Admin\\hYMEAsUA\\UckEskUQ.exe"	UckEskUQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PKEcQwIw.exe = "C:\\ProgramData\\DmUwMkwo\\PKEcQwIw.exe"	PKEcQwIw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
29 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

flow	ioc
2	raw.githubusercontent.com
29	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

UckEskUQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	UckEskUQ.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	UckEskUQ.exe

Drops file in Program Files directory 64 IoCs

Processes:

InfinityCrypt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\psmachine_64.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Comb_field_White@1x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\vcruntime140.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\ca-Es-VALENCIA.pak.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\gd.pak.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\ug.pak.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\VisualElements\SmallLogoCanary.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\onnxruntime.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\am.pak.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ro.pak.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_km.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\concrt140.dll.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge_200_percent.pak.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_xd.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F	InfinityCrypt.exe

Drops file in Windows directory 4 IoCs

Processes:

rundll32.exeNotPetya.exe

description	ioc	process
File created	C:\Windows\perfc	rundll32.exe
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InfinityCrypt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4120 schtasks.exe

pid	process
4120	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3588004638"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31105231"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4824	reg.exe
3108	reg.exe
2440	reg.exe
4588	reg.exe
1612	reg.exe
3744	reg.exe
2980	reg.exe
328	reg.exe
652	reg.exe
4500	reg.exe
788	reg.exe
2972	reg.exe
2664	reg.exe
1976	reg.exe
1516	reg.exe
3708	reg.exe
3392	reg.exe
4880	reg.exe
1344	reg.exe
2860	reg.exe
3996	reg.exe
3188	reg.exe
880	reg.exe
4272	reg.exe
3568	reg.exe
2280	reg.exe
2092	reg.exe
3196	reg.exe
4824	reg.exe
3904	reg.exe
3892	reg.exe
3904	reg.exe
4856	reg.exe
820	reg.exe
4120	reg.exe
1204	reg.exe
2716	reg.exe
4256	reg.exe
4544	reg.exe
2560	reg.exe
3568	reg.exe
3176	reg.exe
4904	reg.exe
4744	reg.exe
4588	reg.exe
4624	reg.exe
3044	reg.exe
2432	reg.exe
3152	reg.exe
3732	reg.exe
3228	reg.exe
4272	reg.exe
4800	reg.exe
1200	reg.exe
772	reg.exe
1204	reg.exe
3472	reg.exe
2024	reg.exe
2624	reg.exe
788	reg.exe
684	reg.exe
4624	reg.exe
2860	reg.exe
2260	reg.exe

NTFS ADS 7 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 195121.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 269416.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 776309.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 630903.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exerundll32.exeC9B8.tmpmsedge.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exe

pid	process
1660	msedge.exe
1660	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
636	identity_helper.exe
636	identity_helper.exe
4988	msedge.exe
4988	msedge.exe
4288	msedge.exe
4288	msedge.exe
4872	rundll32.exe
4872	rundll32.exe
3764	C9B8.tmp
3764	C9B8.tmp
3764	C9B8.tmp
3764	C9B8.tmp
3764	C9B8.tmp
3764	C9B8.tmp
3764	C9B8.tmp
960	msedge.exe
960	msedge.exe
1728	PolyRansom.exe
1728	PolyRansom.exe
1728	PolyRansom.exe
1728	PolyRansom.exe
4864	PolyRansom.exe
4864	PolyRansom.exe
4864	PolyRansom.exe
4864	PolyRansom.exe
460	PolyRansom.exe
460	PolyRansom.exe
460	PolyRansom.exe
460	PolyRansom.exe
2688	PolyRansom.exe
2688	PolyRansom.exe
2688	PolyRansom.exe
2688	PolyRansom.exe
1036	PolyRansom.exe
1036	PolyRansom.exe
1036	PolyRansom.exe
1036	PolyRansom.exe
1008	PolyRansom.exe
1008	PolyRansom.exe
1008	PolyRansom.exe
1008	PolyRansom.exe
1056	PolyRansom.exe
1056	PolyRansom.exe
1056	PolyRansom.exe
1056	PolyRansom.exe
2372	PolyRansom.exe
2372	PolyRansom.exe
2372	PolyRansom.exe
2372	PolyRansom.exe
4768	PolyRansom.exe
4768	PolyRansom.exe
4768	PolyRansom.exe
4768	PolyRansom.exe
2828	PolyRansom.exe
2828	PolyRansom.exe
2828	PolyRansom.exe
2828	PolyRansom.exe
4200	PolyRansom.exe
4200	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UckEskUQ.exe

pid process

776 UckEskUQ.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe

pid	process
776	UckEskUQ.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exeC9B8.tmpInfinityCrypt.exe

description	pid	process
Token: SeShutdownPrivilege	4872	rundll32.exe
Token: SeDebugPrivilege	4872	rundll32.exe
Token: SeTcbPrivilege	4872	rundll32.exe
Token: SeDebugPrivilege	3764	C9B8.tmp
Token: SeDebugPrivilege	3372	InfinityCrypt.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeUckEskUQ.exe

pid	process
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
776	UckEskUQ.exe
776	UckEskUQ.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NotPetya.exe

pid process

2996 NotPetya.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2096 wrote to memory of 2856	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 2856	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3920	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 1660	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 1660	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3208	2096	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffefd53cb8,0x7fffefd53cc8,0x7fffefd53cd8
2⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
2⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
2⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
2⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
2⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:32
4⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:32
5⤵
- Creates scheduled task(s)
PID:4120

C:\Users\Admin\AppData\Local\Temp\C9B8.tmp
"C:\Users\Admin\AppData\Local\Temp\C9B8.tmp" \\.\pipe\{6E4F1152-4CC5-4922-8EE3-36A21A9DA585}
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
2⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 /prefetch:8
2⤵
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:960

C:\Users\Admin\Downloads\PolyRansom.exe
"C:\Users\Admin\Downloads\PolyRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Users\Admin\hYMEAsUA\UckEskUQ.exe
"C:\Users\Admin\hYMEAsUA\UckEskUQ.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:776

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
4⤵
PID:5000

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
5⤵
- Modifies Internet Explorer settings
PID:1476

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
4⤵
PID:4856

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
5⤵
- Modifies Internet Explorer settings
PID:2624

C:\Windows\SysWOW64\notepad.exe
notepad.exe "C:\Users\Admin\My Documents\myfile"
4⤵
PID:3012

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
4⤵
PID:3420

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
5⤵
- Modifies Internet Explorer settings
PID:1036

C:\ProgramData\DmUwMkwo\PKEcQwIw.exe
"C:\ProgramData\DmUwMkwo\PKEcQwIw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
3⤵
PID:3340

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
5⤵
PID:3392

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
7⤵
PID:2348

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
9⤵
PID:3176

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
11⤵
PID:2368

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
13⤵
PID:3192

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
15⤵
PID:2340

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
17⤵
PID:4404

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
19⤵
PID:1716

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
21⤵
PID:3992

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
23⤵
PID:1624

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
24⤵
- Executes dropped EXE
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
25⤵
PID:1832

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
26⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
27⤵
PID:3696

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
28⤵
- Executes dropped EXE
PID:240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
29⤵
PID:2720

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
30⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
31⤵
PID:1344

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
32⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
33⤵
PID:3468

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
34⤵
- Executes dropped EXE
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
35⤵
PID:2428

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
36⤵
- Executes dropped EXE
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
37⤵
PID:2288

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
38⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
39⤵
PID:1624

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
40⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
41⤵
PID:4240

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
42⤵
- Executes dropped EXE
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
43⤵
PID:1204

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
44⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
45⤵
PID:1356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
46⤵
PID:1832

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
46⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
47⤵
PID:2968

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
48⤵
- Executes dropped EXE
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
49⤵
PID:1768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
50⤵
PID:3544

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
50⤵
- Executes dropped EXE
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
51⤵
PID:2476

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
52⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
53⤵
PID:1356

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
54⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
55⤵
PID:4976

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
56⤵
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
57⤵
PID:2792

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
58⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
59⤵
PID:4152

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
60⤵
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
61⤵
PID:1012

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
62⤵
- Executes dropped EXE
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
63⤵
PID:3988

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
64⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
65⤵
PID:328

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
66⤵
- Executes dropped EXE
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
67⤵
PID:2224

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
68⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
69⤵
PID:4148

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
70⤵
- Executes dropped EXE
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
71⤵
PID:1156

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
72⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
73⤵
PID:3832

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
74⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
75⤵
PID:1924

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
76⤵
- Executes dropped EXE
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
77⤵
PID:3468

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
78⤵
- Executes dropped EXE
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
79⤵
PID:5048

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
80⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
81⤵
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
82⤵
PID:1756

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
82⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
83⤵
PID:1596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
84⤵
PID:704

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
84⤵
- Executes dropped EXE
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
85⤵
PID:3472

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
86⤵
- Executes dropped EXE
PID:788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
87⤵
PID:1976

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
88⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
89⤵
PID:1612

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
90⤵
- Executes dropped EXE
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
91⤵
PID:2440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
92⤵
PID:1596

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
92⤵
- Executes dropped EXE
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
93⤵
PID:4296

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
94⤵
- Executes dropped EXE
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
95⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
96⤵
PID:1156

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
96⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
97⤵
PID:820

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
98⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
99⤵
PID:792

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
100⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
101⤵
PID:3752

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
102⤵
- Executes dropped EXE
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
103⤵
PID:1036

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
104⤵
- Executes dropped EXE
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
105⤵
PID:2704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
106⤵
PID:1148

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
106⤵
- Executes dropped EXE
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
107⤵
PID:5020

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
108⤵
- Executes dropped EXE
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
109⤵
PID:2296

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
110⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
111⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
112⤵
PID:2864

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
112⤵
- Executes dropped EXE
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
113⤵
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
114⤵
PID:4904

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
114⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
115⤵
PID:2956

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
116⤵
- Executes dropped EXE
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
117⤵
PID:4788

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
118⤵
- Executes dropped EXE
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
119⤵
PID:4584

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
120⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
121⤵
PID:2076

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
122⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
123⤵
PID:1832

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
124⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
125⤵
PID:4500

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
126⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
127⤵
PID:2864

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
128⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
129⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
130⤵
PID:3108

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
130⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
131⤵
PID:772

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
132⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
133⤵
PID:540

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
134⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
135⤵
PID:1348

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
136⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
137⤵
PID:2092

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
138⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
139⤵
PID:720

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
140⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
141⤵
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
142⤵
PID:3364

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
142⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
143⤵
PID:3480

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
144⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
145⤵
PID:392

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
146⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
147⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
148⤵
PID:1592

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
148⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
149⤵
PID:1080

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
150⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
151⤵
PID:2560

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
152⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
153⤵
PID:1700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
154⤵
PID:3532

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
154⤵
PID:240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
155⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
156⤵
PID:1056

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
156⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
157⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
158⤵
PID:5048

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
158⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
159⤵
PID:880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
160⤵
PID:1356

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
160⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
161⤵
PID:1156

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
162⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
163⤵
PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
164⤵
PID:2972

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
164⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
165⤵
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
166⤵
PID:704

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
166⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
167⤵
PID:348

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
168⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
169⤵
PID:1100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
170⤵
PID:4744

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
170⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
171⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
172⤵
PID:3996

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
172⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
173⤵
PID:1460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
174⤵
PID:2276

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
174⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
175⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
176⤵
PID:2720

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
176⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
177⤵
PID:4076

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
178⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
179⤵
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
180⤵
PID:1700

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
180⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
181⤵
PID:2560

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
182⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
183⤵
PID:2720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
184⤵
PID:4296

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
184⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
185⤵
PID:4728

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
186⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
187⤵
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
188⤵
PID:3880

C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
188⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
189⤵
PID:4508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
189⤵
- Modifies visibility of file extensions in Explorer
PID:244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
189⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
189⤵
- UAC bypass
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awssYIQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
189⤵
PID:2928

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
190⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
187⤵
- Modifies visibility of file extensions in Explorer
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
187⤵
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
188⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
187⤵
- Modifies registry key
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgwoksEw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
187⤵
PID:1356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
188⤵
PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
188⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
185⤵
- Modifies visibility of file extensions in Explorer
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
185⤵
PID:4200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
186⤵
PID:2372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
185⤵
- Modifies registry key
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
186⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZagoEgEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
185⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
186⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
183⤵
- Modifies registry key
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
183⤵
- Modifies registry key
PID:3904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
184⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
183⤵
- UAC bypass
- Modifies registry key
PID:2716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
184⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKgwAQgE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
183⤵
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
184⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
184⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
181⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
182⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
181⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
181⤵
- UAC bypass
PID:952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
182⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIMkMsQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
181⤵
PID:2320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
182⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
182⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
179⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
180⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
179⤵
- Modifies registry key
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
180⤵
PID:568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
179⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
180⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkEUkwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
179⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
180⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
177⤵
- Modifies visibility of file extensions in Explorer
PID:2468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
178⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
177⤵
- Modifies registry key
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
177⤵
- UAC bypass
PID:1204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
178⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAkgMksM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
177⤵
PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
178⤵
PID:240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
175⤵
PID:2432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
176⤵
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
175⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
175⤵
PID:3060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
176⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIowgkIA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
175⤵
PID:3228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
176⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
173⤵
- Modifies visibility of file extensions in Explorer
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
173⤵
- Modifies registry key
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
173⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgsUYcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
173⤵
PID:5080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
174⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
171⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
171⤵
PID:820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
172⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
171⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWQokIYU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
171⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
172⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
169⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
169⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
169⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQooQMws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
169⤵
PID:3108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
170⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
170⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
167⤵
- Modifies visibility of file extensions in Explorer
PID:1200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
168⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
167⤵
PID:5028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
168⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
167⤵
- UAC bypass
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boksgscw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
167⤵
PID:788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
168⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
168⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
165⤵
- Modifies visibility of file extensions in Explorer
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
165⤵
PID:2076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
166⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
165⤵
- UAC bypass
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyEUQIMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
165⤵
PID:564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
166⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
163⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
163⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
163⤵
- UAC bypass
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
164⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmgQckwc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
163⤵
PID:4296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
164⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
161⤵
- Modifies visibility of file extensions in Explorer
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
161⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
161⤵
- UAC bypass
- Modifies registry key
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIkkowIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
161⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
162⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
159⤵
- Modifies visibility of file extensions in Explorer
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
160⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
159⤵
PID:2860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
160⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
159⤵
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
160⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsMYQgIM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
159⤵
PID:3784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
160⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
160⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
157⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
157⤵
- Modifies registry key
PID:2432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
158⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
157⤵
- UAC bypass
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIQcQkgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
157⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
158⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
155⤵
PID:3544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
156⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
155⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
155⤵
- UAC bypass
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyEcMIYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
155⤵
PID:3908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
156⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
153⤵
- Modifies visibility of file extensions in Explorer
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
154⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
153⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
153⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEIkIMYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
153⤵
PID:4296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
154⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
151⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
151⤵
- Modifies registry key
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
151⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
152⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYQoYMkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
151⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
152⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
149⤵
- Modifies visibility of file extensions in Explorer
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
149⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
149⤵
- UAC bypass
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQYMIAUc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
149⤵
PID:2684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
150⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
147⤵
- Modifies visibility of file extensions in Explorer
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
147⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
147⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dykwgcUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
147⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
148⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
148⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
145⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
145⤵
- Modifies registry key
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
146⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
145⤵
- UAC bypass
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEkQoMsw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
145⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
146⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
143⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
143⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
143⤵
- UAC bypass
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyAoMsEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
143⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
144⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
141⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
141⤵
- Modifies registry key
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
141⤵
- UAC bypass
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKAkIQkU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
141⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
142⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
139⤵
- Modifies visibility of file extensions in Explorer
PID:3164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
139⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
139⤵
- UAC bypass
- Modifies registry key
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAEYEoAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
139⤵
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
140⤵
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
140⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
137⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
137⤵
- Modifies registry key
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
137⤵
- UAC bypass
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYAYYAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
137⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
138⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
135⤵
- Modifies visibility of file extensions in Explorer
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
135⤵
- Modifies registry key
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
135⤵
- UAC bypass
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tccUsIYw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
135⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
136⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
136⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
133⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
133⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
133⤵
- UAC bypass
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaEYccMk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
133⤵
PID:792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
134⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
131⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
131⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
131⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
132⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYQcMUoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
131⤵
PID:564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
132⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
129⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
129⤵
PID:2488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
130⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
129⤵
- UAC bypass
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywQQMYwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
129⤵
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
130⤵
PID:244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
127⤵
- Modifies visibility of file extensions in Explorer
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
127⤵
PID:2372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
128⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
127⤵
- UAC bypass
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUoQkcAM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
127⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
128⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
125⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
125⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
125⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYMwMsYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
125⤵
PID:3956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
126⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
123⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
123⤵
PID:2092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
124⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
123⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyksgIUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
123⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
124⤵
PID:2364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
124⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
121⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
121⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
121⤵
- UAC bypass
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIgsogcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
121⤵
PID:3192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
122⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
119⤵
- Modifies visibility of file extensions in Explorer
PID:3996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
120⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
119⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
119⤵
- UAC bypass
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUIQAMQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
119⤵
PID:2432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
120⤵
PID:5020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
120⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
117⤵
- Modifies visibility of file extensions in Explorer
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
117⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
117⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuMEsckI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
117⤵
PID:3532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
118⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
115⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
115⤵
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
116⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
115⤵
- UAC bypass
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uegskwEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
115⤵
PID:1212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
116⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
113⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
113⤵
- Modifies registry key
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
114⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
113⤵
- UAC bypass
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMMskUcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
113⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
114⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
111⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
111⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
111⤵
- UAC bypass
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsYUEkgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
111⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
112⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
109⤵
- Modifies visibility of file extensions in Explorer
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
109⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
109⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECkMoscQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
109⤵
PID:3364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
110⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
107⤵
- Modifies visibility of file extensions in Explorer
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
107⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
107⤵
- UAC bypass
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMMwYAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
107⤵
PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
108⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
105⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
105⤵
- Modifies registry key
PID:1204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
106⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
105⤵
- UAC bypass
- Modifies registry key
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
106⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWYcsEsA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
105⤵
PID:2320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
106⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
103⤵
- Modifies visibility of file extensions in Explorer
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
103⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
103⤵
- UAC bypass
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMgwgIEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
103⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
104⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
101⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
101⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
101⤵
- UAC bypass
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IicgUkIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
101⤵
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
102⤵
PID:2788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
102⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
99⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
99⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
99⤵
- UAC bypass
- Modifies registry key
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYMYscgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
99⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
100⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
97⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
97⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
97⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGMAkMIU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
97⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
98⤵
PID:704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
95⤵
- Modifies registry key
PID:3996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
96⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
95⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
95⤵
- UAC bypass
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
96⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSMQAwAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
95⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
96⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
93⤵
PID:2848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
94⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
93⤵
- Modifies registry key
PID:4904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
93⤵
- UAC bypass
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOMEUUkE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
93⤵
PID:4576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
94⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
91⤵
- Modifies visibility of file extensions in Explorer
PID:4724

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
92⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
91⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
91⤵
- UAC bypass
PID:4824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
92⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQgkkMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
91⤵
PID:568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
92⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
89⤵
- Modifies visibility of file extensions in Explorer
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
90⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
89⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
89⤵
- UAC bypass
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQckEMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
89⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
90⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
87⤵
PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
88⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
87⤵
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
87⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMMAAMgQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
87⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
88⤵
PID:244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
85⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
85⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
85⤵
- UAC bypass
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcUogME.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
85⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
86⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
83⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
83⤵
- Modifies registry key
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
84⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
83⤵
- UAC bypass
- Modifies registry key
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruUYgYEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
83⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
84⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
81⤵
- Modifies visibility of file extensions in Explorer
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
81⤵
- Modifies registry key
PID:3176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
82⤵
PID:228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
81⤵
- Modifies registry key
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIoUQwQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
81⤵
PID:2260

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
82⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
79⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
80⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
79⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
79⤵
- UAC bypass
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgIUwIgE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
79⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
80⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
77⤵
- Modifies visibility of file extensions in Explorer
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
77⤵
PID:2788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
78⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
77⤵
- UAC bypass
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAwsgEIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
77⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
78⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
75⤵
- Modifies visibility of file extensions in Explorer
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
75⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
75⤵
- UAC bypass
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKEkUwEA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
75⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
76⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
73⤵
- Modifies visibility of file extensions in Explorer
PID:4296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
73⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
73⤵
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
74⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYEskgAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
73⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
74⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
71⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
71⤵
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
71⤵
- UAC bypass
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSAEAggQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
71⤵
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
72⤵
PID:1108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
72⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
69⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
69⤵
- Modifies registry key
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
69⤵
- UAC bypass
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYMgMIAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
69⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
70⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
67⤵
- Modifies registry key
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
67⤵
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
67⤵
- UAC bypass
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgIwoEgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
67⤵
PID:3416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
68⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
65⤵
- Modifies visibility of file extensions in Explorer
PID:3696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
66⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
65⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
65⤵
- UAC bypass
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
66⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYgwMIwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
65⤵
PID:1064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
66⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
63⤵
- Modifies visibility of file extensions in Explorer
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
63⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
64⤵
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
63⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwQYYEUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
63⤵
PID:228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
64⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
61⤵
- Modifies visibility of file extensions in Explorer
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
61⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
61⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEQgIogw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
61⤵
PID:1624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
62⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
59⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
59⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
59⤵
- UAC bypass
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYkYAgwU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
59⤵
PID:1476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
60⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
57⤵
- Modifies visibility of file extensions in Explorer
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
57⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
57⤵
- UAC bypass
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMsUYAIE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
57⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
58⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
55⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
55⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
55⤵
- UAC bypass
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKAkgoQI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
55⤵
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
56⤵
PID:2624

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
56⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
53⤵
- Modifies visibility of file extensions in Explorer
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
53⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
53⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUIoUswE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
53⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
54⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
51⤵
- Modifies visibility of file extensions in Explorer
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
51⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
51⤵
- UAC bypass
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgYEgUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
51⤵
PID:1108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
52⤵
PID:1924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
52⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
49⤵
- Modifies registry key
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
49⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
49⤵
- UAC bypass
- Modifies registry key
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwEMgwEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
49⤵
PID:3316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
50⤵
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
47⤵
- Modifies visibility of file extensions in Explorer
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
47⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
47⤵
- UAC bypass
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqMEEUQQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
47⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
48⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
45⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
46⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
45⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
46⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
45⤵
- UAC bypass
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkkcgsQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
45⤵
PID:2420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
46⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
43⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
43⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
43⤵
- UAC bypass
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEkIUIcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
43⤵
PID:3472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
44⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
41⤵
- Modifies visibility of file extensions in Explorer
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
41⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
41⤵
- UAC bypass
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMAoAosQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
41⤵
PID:2368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
42⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
39⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
39⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
39⤵
- UAC bypass
- Modifies registry key
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsYAgcck.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
39⤵
PID:3608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
40⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
37⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
37⤵
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
37⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DusUIQMQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
37⤵
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
38⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
35⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
35⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
35⤵
- UAC bypass
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
36⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poAQYQwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
35⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
36⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
33⤵
- Modifies visibility of file extensions in Explorer
PID:1832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
33⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
33⤵
- UAC bypass
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQwgEUUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
33⤵
PID:2984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
34⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
31⤵
- Modifies visibility of file extensions in Explorer
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
31⤵
PID:756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
32⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
31⤵
- UAC bypass
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKAkAgYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
31⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
32⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
29⤵
- Modifies visibility of file extensions in Explorer
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
29⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
29⤵
- UAC bypass
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygMAccgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
29⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
30⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
27⤵
PID:3608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
28⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
27⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
27⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
28⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmIAUQEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
27⤵
PID:3492

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
28⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
25⤵
- Modifies visibility of file extensions in Explorer
PID:788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
25⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
25⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOkYsYcI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
25⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
26⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
23⤵
- Modifies visibility of file extensions in Explorer
PID:3392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
23⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
23⤵
- UAC bypass
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIsYAQgM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
23⤵
PID:1012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
24⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
21⤵
- Modifies registry key
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
21⤵
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
21⤵
- UAC bypass
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UggcUEoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
21⤵
PID:4128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
22⤵
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
19⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
19⤵
- Modifies registry key
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
19⤵
- UAC bypass
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgUUYccw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
19⤵
PID:3544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
20⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
17⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
17⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
17⤵
- UAC bypass
- Modifies registry key
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qscgwoYw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
17⤵
PID:3480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
18⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
15⤵
- Modifies visibility of file extensions in Explorer
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
15⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
15⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeUUAkQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
15⤵
PID:3752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
16⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
13⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
13⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
13⤵
- UAC bypass
- Modifies registry key
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCEgEYAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
13⤵
PID:4120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
14⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
11⤵
- Modifies visibility of file extensions in Explorer
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
11⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
11⤵
- UAC bypass
- Modifies registry key
PID:3228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JokAUgAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
11⤵
PID:2076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
12⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
9⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
9⤵
- Modifies registry key
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
9⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSgkQUcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
9⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
10⤵
PID:4860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
7⤵
- Modifies visibility of file extensions in Explorer
PID:2224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
7⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kywgQoME.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
7⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
8⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
5⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
5⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
5⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiAYIAQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
5⤵
PID:540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
6⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
3⤵
- Modifies visibility of file extensions in Explorer
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
3⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
3⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wckYMMcQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
3⤵
PID:3480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
4⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2492 /prefetch:8
2⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 /prefetch:8
2⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6756 /prefetch:8
2⤵
- NTFS ADS
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9998986247995008504,16604841502665276625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5044 /prefetch:2
2⤵
PID:1728

C:\Users\Admin\Downloads\InfinityCrypt.exe
"C:\Users\Admin\Downloads\InfinityCrypt.exe"
2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4880

C:\Users\Admin\Downloads\InitializeMove.gif.exe
"C:\Users\Admin\Downloads\InitializeMove.gif.exe"
1⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\InitializeMove.gif"
2⤵
- Modifies registry class
PID:3060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\InitializeMove.gif
3⤵
- Modifies Internet Explorer settings
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:3732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:2440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOcMYIcQ.bat" "C:\Users\Admin\Downloads\InitializeMove.gif.exe""
2⤵
PID:880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
16B

MD5
d2c938b5735534f6e91e93e558c7f74a

SHA1
aca3b10188bc6f4d6adc36f1e5f2b315d5874273

SHA256
326c7f707a5875f12b18c05d8e9699467c450ba594539b2e7920d9ef3f6c2f1a

SHA512
0077738fe7706f9e8b411ef7fca9a90c72733d0144cf46d4b4a01980b5e80736c0fb0974be6f2ac4b7d7f950b529598d24b86a7cc0b9a369270f377ac58c681c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
720B

MD5
f8a66b8807ae6d4d7d5c06246e5f9bef

SHA1
47b92682fbd510ce2e3bdd6d848662c41526fe3a

SHA256
3254d7182e7f49ec24e5572af1f62b792ec470c090d2dea3267b2bc1cd933a4e

SHA512
deef18ff14066c6ff66f0ac1342acaff275b8c39b578ca2de233a54a49808370d878c10640f2a4eb590b81034586f8626afb3778a23d23adac5ce3ce11758694

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
688B

MD5
2be4ec2cc1fdbf35c780f6aaf1821ab5

SHA1
c38faba5b6d74533addcd8dbc97e56543fc3a216

SHA256
23a116971f74d6bcf2453401fefdd60d76e53c0a1d9813436b2921fcb29fe5bf

SHA512
f300b10196380b453db23e6fee5f20cfbf62345bb2744d5ea3a8af4f830439f40454172584ab0b1c8dacaf682cb99ac42cd40c8c8d1350b6b79754641cc9829f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
1KB

MD5
2756cc9401deb2d8a30dc4e542f5f750

SHA1
6f19ab5e0d03deb3286c80c8bd6ad166c9eeba3f

SHA256
4c6b583e7e18ecd06ab9557612f0288366d34695afb41b344bf0a58770fbcfe1

SHA512
1088ea782d927c65cf4ef4b043a2df4c4168ae92388b1eea5edeae3c0adcdf2ac29d19714c4904cabca4c8af9e0096009fc496fd3d29a12a91ba5a188c086818

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
448B

MD5
44b62e8f4d3b1d5eaa684391ede5988d

SHA1
b53eee883fad95abdd8ab812103ae77899ab6e8b

SHA256
e9c1ba08f44f0651c4844556690ba6a57164514928b4709a5f7041015e1c1aeb

SHA512
aee4e9d51bad957cf666303247161d80ac7708159630f743bed4bc1632c836740737de7aa84eeadc0e787cc9722fc6501bcc95429a286b17d866253559d2a050

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
624B

MD5
d86c9d93f4f539c223090a8e8c882668

SHA1
73e8d07eedfeb37e15c335ad4b250ba7a001069a

SHA256
3705a1c0e1fdfb72d9318c8427cb73d93434ede0c7ae9dcc5bcd63fde659b412

SHA512
b5828df5b7ea406e4d72fd77cbda3d45e08e1776ecddb90af68d7344aec0ede7e01d32adf663d5dbe584e32d9ff3e16cafcd66231e094e430160630f5e531a22

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
400B

MD5
a49109e9701e3baedbfa52a1c8e20048

SHA1
38b2d8b825d484678b6181e6c777078e5acea49d

SHA256
f2b8489572877362f9ebc3d33bd43543e00de943d155f73397e8318404f29c23

SHA512
adac451187cdfa2003dda714cb554f93aa2e240728361c239dbf0dd69937930fb7fe9c0daa0dd3a8cbfe652012528015e7eb6e01771fd33be54b809358e26c16

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
560B

MD5
9fe7b6c800ef7e6520ab725d7061e138

SHA1
2b3500005b5f005db1281294e7e5a7bfbe13c439

SHA256
878ca81181c35ad61977b1133e9bb49bbff8ae1f548998f558972a69aea8b94b

SHA512
ded3bcf2ca43ea273a9ed8f4027cd96f05c412359fde5170b53a46dc3bcf8c88ab526793d604a37cdf43e66a87b10007155441ca1b982d21c5a9662e5c3ce488

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
400B

MD5
142d9144e6e4b6b237f8af35fae905d6

SHA1
47e9f632f60a8bd05e8c4416dc732bf834175c33

SHA256
4e7125c6b5483a8c391df6ceba5318297c84d3e6e8dde6d3c8e0ca845cce7a1f

SHA512
8b6e0d478b5a461efc351358041486f4f12a12d60154e1a2d3e36521e488c208a8bf140eb72a727f441ac9e68196eccfbd2980f08ebd9adf3d6f9f9725c5ef55

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
560B

MD5
29199c4edde133d4fbfe1106301199a0

SHA1
fb9dfe25dca271cc7666a49780d1a4c80e12626f

SHA256
b4f32e352ddd45721a65f8055922a9db7f713d708331bfe08493722ce1176903

SHA512
3651715319a2a09e95b8164c387e00c78efaeb2005f89c00f482c158340e3108d086b31ba1937f60e6f55900e56d492a7082402d67bb4aff452507f0a86845dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
400B

MD5
009d256d66ab0fe4b35dca2b1c84e930

SHA1
db4db328885a6aa1b561f6ecc74401aaca4c85c5

SHA256
0e676f7b8a09b34211ce0dada0223784637d79fc7ae576b710a47028cd42000c

SHA512
fc66cf1e820d5d56a3d30058276c498f911d22988e07b588512f26ae1206ec345afba61b09df474097f53e71d829519e53d20fd10e7255d00b3c1fb9b850979f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
560B

MD5
0eeb7380f78326a13939c63bda81c27d

SHA1
7e19dab96d78e3066152f501cffa41ad227cb1e7

SHA256
a27cac179d00e2987da777c1a13ba6e998923bd474c1c7fbe71799f31613f9c8

SHA512
d0bdc0c5282321debb21be0f10948555fee1b33910b7064aa9898b18c626d3b9d3e92c320ffea9d6d26703480072909c7b3dabf070639f042fd79a034a34370c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
7KB

MD5
00fbe16958e6bddad4af4a37655fdd0a

SHA1
36b49209a8be7c977c415fb5d9a51ada538a9d94

SHA256
5fcd04dabb23944e9d2e3d8384ed0c031246f68e96b4f5154fbe80d95d2012e2

SHA512
c4fc542d003ea3a38cf2445ad3ebfd38544631d174a0e681b6311c6c580c357f74ed71b7d8e458d35473811604d7093dcac51df294d18a7d02b6d63501927cf5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
7KB

MD5
324cf3ef543d7c857ed23ebe611ecf71

SHA1
079881f4bb64429be1fb5235c125d25e485257a7

SHA256
304103c28d0a98da0816c2d69b76b505f58371876c07b56fc35a3faf52922873

SHA512
44375f345f31d623c2138d02113585ab97ad0865f9965c14709acb5934d803dd8608415ff7f444c779b08508fa3ccbcbd2f6ee5547f6e0e35a7d2967a60c1bda

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
15KB

MD5
3c39cc801491c6437a39fa6986cfd3b3

SHA1
ebdd2a053a464c9fdac590f4c9cdd6bbb71e67a4

SHA256
e7141cbbb781248798b38acc1bfd774a70c134dec4f0e2b1d0d4c5fc9ef7db10

SHA512
af55e772acb2c0fb1b015c937338f2b119c1bb3800f93a70dbf9632a52406e9448622396b881f3d765a9bae5f5663332339f43c29097cdc1ede5d98e8ee4bf32

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
8KB

MD5
8fb4dc265839f5de57d3639e907847df

SHA1
1e4f4140ce11c79ce3bbbdb59f35a85501de37dd

SHA256
adae37b4e7f9dc26a9a99c86a5d8a949e1ae41a4db99e12fcf1032df7699e4f1

SHA512
17d3e406ea129d5ceceba44288fe170a3ed6c813e5d1a3bf0e1e6175d277287a28d060a48d3d46d9932af03daa3e97ba2e0f6e212c1e2408041d2c6a35fd1f2b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
17KB

MD5
df01f7fdb275129331dade3964672920

SHA1
e6defa0c56011e2470fa977b1a9be7e35a18d190

SHA256
08ee6c2750edcda0870f2c77689f99f58be6669fe1667565dd6701476227de84

SHA512
c4b7c119393bfcd21c3d9b89902355988bda77f32995a3b6e4040635e13704b1f5c6d7f0fd6c330aae6d6a0a1bb55528647741f83f7ff92c32f4746094a50bab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
192B

MD5
b0396b1f78ff634bc41c1ec62d230256

SHA1
dffe7280f2a933fa13b40617cf09b0a768d3e9d7

SHA256
68f75512d5f4d0afcdd44d9de854131dd9f74dabec8d042cbc72b8c5d7c4f08c

SHA512
6293d7d5d67b8d0601e2d97a42ae3029162d9c009e31b4a80b14c80d7990248205df6f8f4e42fe4f5a3da771b65e98d93d063ccbb18b580d13b050bcc06298d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
704B

MD5
7a75a684e037c73c5360d0a560574ac8

SHA1
b307078b90bbf87a359c15805685387289528c0f

SHA256
e4c1de76ff0424872b12ec30f987c550045e0f8ca1fb5a8025b3e2530bf042df

SHA512
5e75bf9dc67327cd3f247e4663b37e68332a1f366bd5613d530d74ae4320a59e9bb9dc730b82d986bb76f7485f3b83faf633c063e8b48b198e2d06bbfba1cc71

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
8KB

MD5
06c236e895d1a26a44ebabd3067da655

SHA1
14b84e8ecc58ccbe8c9c114ff2f56d26cda32ae1

SHA256
d12e256aca1cb7da9cd88f1c7ae6a5de1f1d809d2826a352e9b8527e9fd47717

SHA512
c49bf29c8a43d31845dd65f3aad63f6d5944ad58ec964b1f4396009d17f7618c9240bed02c61a2524474d9069a02ff8c1bb003f52520b9802758c4f71c00aae7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
19KB

MD5
611184cb53feb6f3c118f94124401049

SHA1
39e2ce54497433a0d83c2a09d27b8cf7dd785514

SHA256
6f98be464d8406bf61e080ac64134e2600ef5d32bc12d5954f6a05b9a200fd15

SHA512
08e69822f22bdf3db0bc515af702f1098ecdb41f1a52011589de141154dca140c394d590ccbd0e78e93d22a2feaad4778550d15528f3cf4a5cc74b0ac1bba9c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
832B

MD5
bc5cf381d305821930181ef9048cc46e

SHA1
94c728e2a6d23f87a4ef33bc71374aff6ac9891c

SHA256
d5543841686bebdd87d336572d099914a602c38e91d8c22f9843f8b0ede60c3b

SHA512
bd88b84a74ef1d47251bc66ba6807e11f7f022e1be174266805350431f1757924135655e30caa82123b1cbb2ee99d6342c09086a3dc809ec279527ebbd49666c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
1KB

MD5
bd312151ef4d733fc338342aef8184ac

SHA1
71bed8c086c1fc57aa90327e7b4ec3427cb0697e

SHA256
1b4b9c02bf28da061e2ebf4dd3357aeb42257a4eb15dfd09ee9ad8432337817f

SHA512
9c2cb23f996b4d4de348d38fedc77e41693b993dcfe1feb6d7ae25fb64a6833c93323b4853894f387aff7dc8a7f14a71b3fd45432923044dbfc19ea20b769024

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
1KB

MD5
c4839c77b9e3157b181546e970bd1fc1

SHA1
33d20f1ae170eb5a51d331ed74d6bb69ca0e7f17

SHA256
7007bb751c78bb794369fa076905e2d0b73b702d8e4ddfe091732919579d97f7

SHA512
f9052e3bf7caf012af9e9ba4bbf6b7531c7dcb351c526be48786372a48c6ce8b20633e0972c80aac6b8f0ef4083e5ed120869a1cea32bfd882b8aa4c29e31da3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
816B

MD5
bc4d94d3cecbc9a7962d4c2997380cab

SHA1
a21a0a37bb0aa0e18c180c439522b57b2ce138ea

SHA256
0ae74e888027cf5677b85baeedbb30384c4184e1c91298f4051db45c25314a3b

SHA512
743be1af0cb2ec37e541fd1b15f4c53df7cdd5b5489bf6e1d630e918361e14c0b0d6cde82c5101a473eb49ebe1f6e3d5e9602236113b02c85f90bddfd88c8ddb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
2KB

MD5
e979941f0cb87deeefdb969fa4aea997

SHA1
ecd467e31dc52bd0847cd4fecb3f1e46a80a056c

SHA256
3d158e5a45852c4c7b937f25592764ac7b5020fac4e9bc976fb93c2921abe442

SHA512
d005c5b283625ca3f320b14aee0d18ce12a8d87b90ffa61bcc0051db2ca521c79e850af2f1ff37d0fa0118e0ad0473b8fd1d25ee7cd28d1c6bc3b7ca0e456094

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
2KB

MD5
cb7a269eb61226382062035a722d5675

SHA1
97baa15e3a77652446ea24a4b3e7bb715832d065

SHA256
e3b0ccf710ee8c02eb7d0634d3aa585ba3d271f0c981d3eb6f3cf8f9d0c5f2d5

SHA512
e7f5a4a7a0d83ad9e38424928078cba84bedc922819e9cf04089b96ddd047d285712ea90152ddc63f227a456cab1771e6db4d14eee35f265256c6681c15220a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
4KB

MD5
e1b7135c2e517f98449b872969ceb4e9

SHA1
376fb91286d85e4e90d61e9934a193af56f3cde7

SHA256
1a18a8de9dea2d5b1375244124ab6de091f03714c94423c3234859646a4e5f70

SHA512
7edfe261648ca5e7c7aac80df0e24d710b150ae23a006262521503da43e7df6d91f2d28aad33bcf4b8c9e654da149dfdeb4468ed92b54779a7329402be5103b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
304B

MD5
e0047a4a44e5cd47917e4044395840aa

SHA1
058bb63c19b980cb7ba8650ea636d6bab3afc396

SHA256
20569471fc25b628956ec57e3d355d1b92c525da1796a9cbc715ad59f4a4da51

SHA512
bd3fc8ba782d5c89db2c26385038b76a1bfbac89e9bc6539370998e2e561f71baf96af3b7cf50057f8d70748aee1c0feecf379dc50f9536fbb1ccba7f37275ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
400B

MD5
6dc165b46b1339332c7ce104d5da96f9

SHA1
50adb22917ba2d55d70e212f81964b7c81ebfe16

SHA256
23ff346350de2b3ae67c9cbacfbde3e7ed5eb980f55c88e1a22d7563463826cd

SHA512
bb24274157805a6c71bd93733fc1d13174a76d11309ec8554238cfa29982710abccc4b74467078f3329d62b00191abc5ff3c1dcd25245b7c7598551d1d03e2c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
1008B

MD5
4f7b5186a887bf587bca8689d4352ecf

SHA1
a762fa0ce59a7d73bc968471f4c98653366d8e19

SHA256
58cf21e276b2f0451974c6929c5db8b61f8f7bf180a7296dbaee5894873bf4ad

SHA512
1ddf450e2fd916cc2c3556b48315ff569cc6acf093b17ea37325d95fa70c716b9d355e6f181c28bfd2a0b4afe686c69caaeab3117cc5216e348ba9ce94e22bb0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
1KB

MD5
8d91bce3e4ff5fe9349b40f76adf7a8d

SHA1
35280efc2882cb6d196f9ab51545e32c8365cd41

SHA256
e43144f80186412cdb3f2cadb1b482b019987f82c4532d5d075d88bbf47ff646

SHA512
4919adbb6d2b1853aab2cd4b2cad05bbfac021c689950db33be5e87dc95ab898b9617bd7b4fa8ed464e1aca510a5f1ffbb1b37860047ca3021b755980a3a4db3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
2KB

MD5
2469812c733332a04330317b0aeb03b3

SHA1
8dbfe5b10b9c28e360b38fc105a2c6a7ee6b3c93

SHA256
224170be308babe0c8047f2f8210d6a81464f592ccae3155955563d5b17278b8

SHA512
f812d15cf550113a40ccb801c94bf28caa77e3f8d278c02bb819e07449c2db30979262f8b0ae39da72beca2d7450817ed6c3a4c8060a3be2a5dd8c0a33c62bf9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
848B

MD5
b05f089e4f1a8a7ca3c0d90063d6716a

SHA1
69613b407466f5d7c8c0f1e963a97aff4c73b01b

SHA256
4f1807aa3a20e25367f353169895bded32199139a4a16f2b867508c2acc4edb5

SHA512
78dcfd6b04f8c75d23a3823b0a25744763a7f288219936edddf57a03066e25f1c10a419f473104693c32b00407c5f339a960fcadd334b4e568d465ec668d424d

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
32KB

MD5
ddba79292447bdec36f73611e406ddab

SHA1
dbf8bce08e16c1560807e9d80573bb8a1c163595

SHA256
95d3f49b2b6de9c13f4db38d9b1a4cf8835658a22675056641736bebf42395d4

SHA512
6d65e63f97d8c7118fd6d9c6a35599ecbfaa2c1c0c81e7456944ac0d72bad7d05b301238ee9866629dc3cea2311fc0674f764eecb23ef3181c02d309eb579ec4

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
48B

MD5
c747f121662fcee5686d76b25b245302

SHA1
137b91c6acae519d90ced52f473478aa263259d5

SHA256
98d2f6e162436dc3a10c55658c9aa01fd85a20a948076454f0b78d84b0686b54

SHA512
4ebd40adfa87a3abcf21812cb1df3f65cd673dbdf16df75072b76a445e733fdbbdcdc0e907164ddba214f41a4f787052e493a3b9119b54730e70fcd1fd31f608

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Internal.msix.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
55KB

MD5
13f7990ef237155535e9282523802346

SHA1
e7e227d6ac33aa8f2a31f1440897a1295c0d4f44

SHA256
ff2355d9c3ae5886e3ae1723ebb6ab708a01c4eb3a2f0595202f96f80070ba16

SHA512
7ccb0fc9baa709637443a47fa65c029ea80a8cb967b2369c994b243de89c34bc34b3245d5b6ff7278bbd176a51c710706d9d8c5ccce915a7c9e5de57f148a904

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe.manifest.D913173295E391B47DDC4F2002646F1185D779F14A5449DE52319BA43A22B62F
Filesize
1KB

MD5
51af83483f6bf3b58be44608769e03ad

SHA1
148dcef58b0b7bb9ad0d1a7612f22dd4981b3671

SHA256
bf847d1e4abe55be2abd66667cdb7a2293c593f3933a6e7469057a4b5efbb7a8

SHA512
b85b34ff4afb1fc0639f181d8da2ace8dbda76b8097250256b0ef190be3b76ba4d3e4e8b3720d36c435de3fdb36485f53863f65446c520adc0b6091f47dfee1e

Download Submit
C:\ProgramData\DmUwMkwo\PKEcQwIw.exe
Filesize
193KB

MD5
a49c24cb33e62bdbdab1c5d5667bd730

SHA1
ecbb6a06a0ab0e7250c9e235de356db1476f9d22

SHA256
736ae9fd875049ebd92711b3b200470f9f107f96c07558291785cbd1e180b190

SHA512
aca990b40e8c333d5097a5fe12d9452e1a2b84d16f7b07102476ed85c0bced7265581ec5b7b8e310c86d2aea0ea821baf361e1c52221e0117d1d3b45c4440208

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
769KB

MD5
21522f606d5224e843669fce6686d7d1

SHA1
197a1a7f1d2d3f2447d920db0b4d7a92acd9ca51

SHA256
8c3b933db6070615927b24a027ee6eeb187765883c8e7a4440eedb2ce00248a2

SHA512
f90824157047a819cd41f1bb60bc5ca6bb9b2a845bd25875a5de5f16a7b537bad894743935e44a13197bee92424469f5888f2301a22efd67c26312bec3b1cd10

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
201KB

MD5
54e95f68493a0bccf7b1f91c03381321

SHA1
d7dbe526a480f0d2fb7ddea1415f91cf917e7878

SHA256
776ae8a1c55ad64d82fc7d36cf2a97a31fc9d62ff4f3ce4eabc9c2ee2b97da89

SHA512
9d708346537a388789afb780b1f16cabbbde65fa304ae975da0b42d3ae2e4f9ee794c72f8ab34dcfc395c8c590a9a36342c70ea074897172c9f13a18b4224425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8d5e555f6429eb64461265a024abf016

SHA1
05a5dca6408d473d82fe45ebc8e4843653ad55af

SHA256
0344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1

SHA512
be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b5710c39b3d1cd6dd0e5d30fbe1146d6

SHA1
bf018f8a3e87605bfeca89d5a71776bfc8de0b47

SHA256
770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f

SHA512
0f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e301441012afa72777ac0b43454617b7

SHA1
e03c5a977d5bc51fb727e70ecedc6f0bb01328f8

SHA256
117b411c8cc854a073ad42913bfd719a276aba7bb088cfde636554a512e87e51

SHA512
4a1c1047fb14df0abb8c654568700e311de880f81d910a4647ebde5a6f26eed0208c1aecd43aa10da0b079798dd9bf6cfdbdd3f1f4a387ff4f0d856c31dec22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
65141ee7de186b38be5e1fdaddb3d501

SHA1
455647ecf2fe6d59ac8b378758eb06b9b7a4e69c

SHA256
534e5e7800ffb87965af22f5b6137df74b4cf5ab7c061b0a325bb5f62c157465

SHA512
d0625d5c88c342ebf59235de6d9ce14e2e9c054d6aa15cc3658a8f9fd913642374f817c41d594b77bdd17218b063047a572d1eaf4ff5c33f638550dfb9f14b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b769e3e3b4f1283898b7c21c6d543351

SHA1
9a6e1e1725ddc2845f54e11b687029c1b31b6390

SHA256
cf6ae59f213af9eba1f18bc4fd03715db1cf8b97ded8991f7200a282bc87c5ce

SHA512
4a8213a6a8fdbbeab7f17c43cc518d8cafa0cd17ab82e7834cc6b6f232f4fd131d57173b0d0accad097ce8b78996a0d3560d94fbe3a71af9b7c986ea230a2665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5a63704a184ff99b086e6676a3ca3a19

SHA1
3188f9d7d80461e67e3d1139d5fda56873fcac54

SHA256
b960bce6ba5c33ed20d9ace6eb11d6c44a1be015952f8e2d0020e6fcba233bcb

SHA512
b18f6736fb522a5d276686e91fbf8f58410b7bc84367b010cc91d92b1b6e40a19c5f7c516d78d684a3b12df60640334428a30bd9e7f25e16cde4d4cdd38ffd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c5600c9f5206129b8b34de235410e5e5

SHA1
ed588c7c9478448e6cdb950e6c9327fb7a0739ee

SHA256
8d2ff8ff3636e759a16e1a20e7b8347f44e006b2223d14abde014392e2ecad1b

SHA512
65517c7a0df30b74ff34fc7661c72eff3a73df7b17107e4349865198aacb21792223bbe269015437ca980d781bdd7e196aac37147e815048cc905d99ab097cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
75f40b0a4c5ae72a2cf05f813b82ab59

SHA1
6335b07bf7d0b97342e9e9fc4d610b75dfc5f670

SHA256
8618894bcf2579e922a9319a8217250e0ca267cb12b0f4b5662ea1b3b7b96efa

SHA512
852c6433d41b0ab6d8884d96cb51ad311d370d10861027f134829a079a7d0ba294c5d157c8b467c7ce3cea33a9c409ada2dd4e3783779a46d16eb133943b3f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0b8578ae530f44229e43afb608a98328

SHA1
f0d704cf0d18617fa76e7f500543344be26fe4fa

SHA256
5089c854b02aebb15068182c913cf26e66928028283015627e7dae11d24644d1

SHA512
9d6381f727ba29160bdb1eb24d2cd6350935c5e185c03d94b09a803529a01046adffc4761c6f7067dd68abe51bb876729bb5654f51279da042fd4c01d2312da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9b70dc2f61efa0dd1885cad56cb7909f

SHA1
81c4352efa6b10b5686f736af1f8d4285ba2d2b3

SHA256
ef3d8c35997608c2f22d856ae4b66bfcfb9f52c0d90da156805492d99492c5b3

SHA512
1339a5d4dc69d92717af3e3410d7d0459f66b218eb79ade584f2b479d97485758b701c38565f783063b710917fbe1e066afbdc8627445342f1aec79f7c48da3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0aa71152e9ddeb2331a331c64f9c03d5

SHA1
7462788a553a1424172a2520935c2015cf5acbd8

SHA256
bfa28977f2b5c7868f4ac1cd2b3460c90acb55eae5aeeeaadd73cd355081bc63

SHA512
11104004ddefb3d28569838b03227cc6bece96a6418333a4e2577691f9cc14c944112e6da20d19335b479b3de6e80dcc7ea5033007f22c4bf2dcfba1c3f36ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c54a258feb78c68067587177ded2958b

SHA1
27192eeed22b0ca90362cc69631518534ced8ee0

SHA256
a7d16ce5a183e3365d9322a91ad58df768eed1122cab71a35f8023480e8ee53c

SHA512
868f1dfb2d0806dd66a2546431166a47d1fa87ae30c853698bac15ebe6b7b3df3d2873cadb5199ea9237e31d5cdbb74cf2fddae8cfe16e6c6d0c3a9ddb611fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
21b739822ff5f332d1fca8fddad896b6

SHA1
84494181e95cd27305a7df5fe7c1752545219c5f

SHA256
ac1252f9bb72bab853f14cd314fa0bb85aa64fc5e493454d19d40171cab018c0

SHA512
2043bf10e4d51b7a29e5aac79a0b41b4e8bd8074658bc646408eb16996ef70e00be3dbe04d6ba62a943bd3dac6e9b22e04493033bbeae770141522ef5c7cd459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579153.TMP
Filesize
874B

MD5
087cba9bfcba7c168d0f7eb2f508c856

SHA1
ac1dcf0346b577a0d9f3312510d0f2e4eef4d01b

SHA256
9af9924bb185131c24acc0e131b569edce066d3fb7340e6116a8774ad2dc798c

SHA512
24f9419042ffcf75003582a306bfeca4d0205fc13653bec43b3654a8cc2c56b5aeda30c3122b0b5b96fcc7eefc40cdda2833f23bbbcd426b9529c5772f5fec3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
cb4e5f7818776e931b10f1be050ae580

SHA1
375c60111289a546162494b42340da5d6b198176

SHA256
e878e7737f7c3e1d3207f7ce7e30b7d728e3bceed08c8f531a9d8124a6666b0c

SHA512
9958ab3b6fb49371ccd7294577ce659f1b7df7f073c85cee516cb0b968abc7053ebd8bc3aa89ae75d7d8110a85c092639a7b9a9be70afb1abc883c541384c58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c15940c2fc566c63ae61fe1f1530a9ab

SHA1
15926627e6271fa5f02cf9863d8841304dfd4be4

SHA256
d88524d4989bffe67ecd218f93111eb6a2ded856dd95ad6cec1242bf958ea7b1

SHA512
156bd5664e6e89c80964e28502241dc2622401eab08f9e8e4c67fea5522af023735f8118498e7ef92a043b2c7ebe2221ad0b62ac06a4bedd4191d638fcdbc70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6b2de74edf586cf374754779d062214e

SHA1
5c07736ddfa526a66312537292a81076ee0ce92a

SHA256
ed42812f75284ea142456e7573000ea72bf50c3b7274b6a1b2d90fc3ab5cd7ca

SHA512
49d05a31641a404731121a3986cfc0614a0a1dda63b1cd7bee07f912c48579bcc2870b5f7a58f64be6446d80e8eb518fe7e1278f7865eccc60ca0b34829cb97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
17a52ec07e323f33fcaa10a8bab64f44

SHA1
93666f7f8bca01fe3813e9b146eba39ac663a3ec

SHA256
5ca6937bbc9bb9bac28ebff27d1933e2f362d128147456e8b7597b453585c314

SHA512
020cc04cf37410e6578198dc2755ef1e6a5117452a6777fb31f88d239f164f6ad30a0d0f4a5de85980b374188806f1ecdf65ea0f7cfe45775db71919b88baa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
192KB

MD5
d87daa0a5c9b7ee19a09989b17610522

SHA1
29c31279f624e7c1e3eba802db48710b84617345

SHA256
1fb9e21641865dc6cd53bc14b0ed95ac5229d82aa2b55509cd14d9155c2f0321

SHA512
defa8bb850c853cc115e8fdbd045a2fb3e8ef5bc9d772d30a9fcdd35589825ea3195906005fa5fb011caa9b47905fb61cd0af1728775844ea13114154c493573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
Filesize
193KB

MD5
aae048d4548eae05daba268bf93f927c

SHA1
d7afb4ab6e3bc5573ef3ffafb38f33d25235b528

SHA256
701e780449bd43a0542ff4b3d797bbfc440bc6eb92b35568f34efe1de020b6ca

SHA512
de1dbe86c71936b8715193f87ef4a820c1462d1f7333e3f37db394a8c9ff0195f5db4262c3cb3738a7aea46a9bd7a0a91f24c03216e0deac5f2522adb779aa7b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
Filesize
194KB

MD5
7e7c9b54ccfb49c9ff6d8d386bcb5fec

SHA1
c00b01102ca44351c4490645ae46e027d40693ae

SHA256
bd4cc9bbe90f7f9e5247af4ef20448cd023418ae83e9c8553a4b1731918f2f88

SHA512
2416bbc1f9247e38949909e8904407539007a73ffe54d2f4ce8de1536e2072bd994c97fec2c6e21d98ee77fbd5863aeca662a15bcf31d1dfb6ea34a4e749eda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B8.tmp
Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wckYMMcQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\Downloads\AAMk.exe
Filesize
200KB

MD5
953f56d4b50cf6c7721f255f9961df2e

SHA1
50fd4f07dc438fdb78de0bc53e69bfd285f0e676

SHA256
d5ddc2461804caa54267e2ff3415316888d6f3825e7726b4da293b5bb43384b3

SHA512
294f8409abb9f9af56ca1855c869e575328a87f830cdb7236fe61cf636ebaef1aca1df14f92a2bc1b0efec2f0d3bbc0ac3c583256fdb63fab1a2de21404fb158

Download Submit
C:\Users\Admin\Downloads\AEMS.exe
Filesize
203KB

MD5
4d05fce5e388a721b1c0e6524fbebb9c

SHA1
8a08f8c956254117d1dfd9ccda46bfe497aa02c8

SHA256
7b8efe65abc2cd6102ead816cbe9c50382d61aa8b1e00494f30e54a4747e4a03

SHA512
e6bd934b84f7924931a96f21904563a856611b4879db85396cc6e8e891281140ebe64f91c4555369a2fb51e1200fe0eb237c3721074eb975c3103fbecf696a02

Download Submit
C:\Users\Admin\Downloads\AMEy.exe
Filesize
585KB

MD5
95f957cfd6644514e0aa2d7fd2c38689

SHA1
3882a7d84ce84a7c383b847eb623dd0f7d998fa4

SHA256
ef40b11617e279ca6a9d59294d1dd37fa69b75ffe20b9e25effdc254c4b73779

SHA512
fbc744d27226dff3aeb1d7fddaa89b24bb664951bb0d340e02a2f38a64b5f8dfc3b4f8654f6b9e40914af3ed7f32220003acd4dcff6d6f45d4a7cf649bfb99be

Download Submit
C:\Users\Admin\Downloads\AcQm.exe
Filesize
185KB

MD5
0aaf530ac281958abec6738f413770f4

SHA1
e2a7549040e57eb0e2cea01b86b3aaef9217a48d

SHA256
d1f65c5cc108d8b4f865de7171f07773377dbdc082d3f0cfa54e36ccf587bc1d

SHA512
8027d43d54401a52731f6565b83a1036ddf149137d0d8f3552a71d1404289a40b148eb842d1b7f8a2fdccb2b26e2142746ba5d65748d30624787489788489260

Download Submit
C:\Users\Admin\Downloads\Aksm.exe
Filesize
182KB

MD5
253ead269ed0dd5fdb630a6e46114487

SHA1
60e17c32222f90a0659d90ce4b7322b94ac7ab5e

SHA256
03ffcb030a2e9a41e26c1df58a919da6d0f89c00b7d41156ee436550e277ac0c

SHA512
f92027d213a5812ddf3234931d6ed33c4837f0bad7e042585fb90142b318dc3a3776b07007c183ecf8af05561518d5cb033ef8267ee6f7648b62453a948576fe

Download Submit
C:\Users\Admin\Downloads\Askm.exe
Filesize
637KB

MD5
8fd9b892584f42debccd376a3c790cdb

SHA1
a3a1872b41d432c5eb869eb1dd93c6489439799e

SHA256
9a9bd9aac84f0b48d67ada3aed2ba4cc48c9d006bcec64a36242d4dae5357e5e

SHA512
92ea16c3cdb437c08b114bedd376da09c7b7666f576bb24545fdd3c46082d3cc00c9d214300bd29c48701424c6da8c256bce6413a4dc7c73a54c6cfc641d1b24

Download Submit
C:\Users\Admin\Downloads\AwcW.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\CAQS.exe
Filesize
190KB

MD5
85ad1097d1c194f699cdd5a2bbe92e0c

SHA1
49e11edef9025e3b77eabf10ef707d352adc29c0

SHA256
69232b9e9b6c0e0ad62007ddc0a1584c4bcf22966bc7f6055944cfed52b70695

SHA512
65c30658d650aeac6ed78ee1383285bbcfeb831d1446af53260769419731df18de5ca0525f0563f737de209295d3759a1dda2bd14f638404d8a2539012ad53d3

Download Submit
C:\Users\Admin\Downloads\CEUK.exe
Filesize
202KB

MD5
6db86768ffeb0fb4a8535b91d9de8081

SHA1
b0f5411459027be4d44f44f8d629cd68413b9bc4

SHA256
3729bc50bb3c1be6659a42e619f674dcf46f08b19135af9c8dabf81f77293b17

SHA512
465c356716becae2f270f9302ae5ec3d2b26888222dcfeb628103868cc74a2a40f3e68a97e04114abce94c0f66f6e9528a1d1bb1a3f75c8d77dd9319f373d3a4

Download Submit
C:\Users\Admin\Downloads\CUAK.exe
Filesize
195KB

MD5
22b440ef9a8a0fda892540227ec311a7

SHA1
97695f93f190d85f6a5b5cb3aa085abae3e848a0

SHA256
8a466a5c658c6e78cbf88f9ee126714e20cf1e743165268f0319cb4c82df19a0

SHA512
81b10494b8a9ded9950d13f98a4259baab63f84ef23f50abd21ce42796262d77924c7ad77cad0aaf6f47ccaba9f2eacd94f585d0518d0b03a44c85d9f6e352f7

Download Submit
C:\Users\Admin\Downloads\CksE.exe
Filesize
647KB

MD5
1f107e12dc82ef711b9f5965c92c3849

SHA1
310d408db4491e7c9f6c91e51546b0f56b74cf75

SHA256
6b20add589579e2b820da1b8323e2911f11027e3db3a48345fe49f9391efb94e

SHA512
48448e1ea787b5f118dc8835a8aa839ee58a8f43d2a7834514df50b7a7ef0bb87a0fd827868e9be6b26ec8e1fb37e8ba2fd9cf4618ebc504cd1a95f83c480faa

Download Submit
C:\Users\Admin\Downloads\Cwke.exe
Filesize
194KB

MD5
7e2c35378f1d943cad6e37217b8552e0

SHA1
9430cee0212df881b409a36befd2b6bde10211fd

SHA256
1dc4f03b2b3fa2bc48a8a4af0f0946b2389eaa0b0a942b022189ba15c2b607a9

SHA512
3fd34787c1320d63c812432224f4f9c59f26721d49ed0cb47d6a18fef478bb95e72feb424c0735829d7f13ade20044fb128a604860deabb2186bdbdfbc27ec71

Download Submit
C:\Users\Admin\Downloads\GkwK.exe
Filesize
203KB

MD5
e18fd16cae05f7c0f96d3bcae3d35e20

SHA1
73c849e965b946ed44de477a07c2dcef38da036a

SHA256
7a4734ee9725e9f2d68c90d55383d6eccac8cd82d726b5476aab1bacc0b18d20

SHA512
db682e60ed390294e20a58dedcedb46a96c1d49d0ef9e7eefe31cf40b2c32b95d330469a16ceb321cfad7076be1d653bb450b59720b4081512b2e34236d6b5d6

Download Submit
C:\Users\Admin\Downloads\IEEm.exe
Filesize
317KB

MD5
5288333b6ad1e60f5e99c74e6b65af79

SHA1
e876062001cab92c7bc48d0204ae6c1289d2623c

SHA256
d0c11465dc6d855c1e134a974c6687970c51ea649b5f5a998115437101a4185d

SHA512
edab3c198bff9c8ddaa0391b230641c5eeb3ba4eedf4eeee9ff0946f78e886fbd9e1eeeda88574198a7046194e96689c80b1c0ade21bc7e2ab2e790949f88007

Download Submit
C:\Users\Admin\Downloads\IQIQ.exe
Filesize
654KB

MD5
51f80a0ad960333b83bcdd3298e6d77e

SHA1
03171f63d65e7849402e339862e5e1f47a7a8cf9

SHA256
68895c822ed38439ea3565766e4b407d4cdbbd9d4ddf9e588cec02bb00ea8807

SHA512
ff8ce633ded30683d0cbe14368054d14964755251d0c1c32dec399b4937dabcc6d8d591de17860dd43c944f780d882135af0933bed95b484dfdbdbd5eddcde1f

Download Submit
C:\Users\Admin\Downloads\Iwgg.exe
Filesize
703KB

MD5
53b6cb48f7daaeb5e8ebd432941d9016

SHA1
3945ef5930a730c07c80ce5c5332f2aed9427da4

SHA256
29902bb0b2e9c38950471c93c0c5aaa8d30ca43726869b4fd62d32017eaf0129

SHA512
6e2f4a4d7cfacf19ed1335e8d6b036b045df115224bab10665f3934f3c78b6421b61d4372a77bcd78a1f96767f53aa4ce6684a3de9aee000bec3b612572a62c2

Download Submit
C:\Users\Admin\Downloads\KMMQ.exe
Filesize
211KB

MD5
d882f647bebac7693fb73a5965ec07e0

SHA1
455dc1fd3094aa911869c96e9a299b7d62128011

SHA256
78ba306fdca319f7cbff20a8a8f11cecfa035ccf827df05796ee6e63c16e6935

SHA512
7c9d4ede8397a002b5675966de49c633a406ae3e3cfd8d4dad55146aabebfb20b53fdc418066867333476ac045ad38ed290819450639efcaacf68bf10a8899e9

Download Submit
C:\Users\Admin\Downloads\KQsW.exe
Filesize
225KB

MD5
a6b26758d64f715450007da6f06feab6

SHA1
e21134c9eb8d43d5411b6853105e4d525b94c169

SHA256
43778a35e9e6594d6ab7ff2b61d12673ccd3b06702f05893bb880a32761cf38e

SHA512
b0604c9370e1e25272de4314a67e0e1995ac336fb4d0dbc286408582325e87c08b9c156e1e9e610f018a943b32fe3c850403868ca27a3809b8d4831d1424a478

Download Submit
C:\Users\Admin\Downloads\KQsw.exe
Filesize
185KB

MD5
4db78df6f7278e7cc7baba768c861d9b

SHA1
ace53b4eb09d732e4c17ef67753a3a24ed332166

SHA256
3b40877cc419267c977bb0cf0e59cc5f7dbd9e61971b1d26902139ecb280de04

SHA512
873b15a6d1e09df7437d49a61dee67e7a649cc10dfcefc2242d9ee6ab2d20fb80f72d909e8c4a720b0e8e58ae4b7a38c9842f610d4e7c18e1b8f5024329935af

Download Submit
C:\Users\Admin\Downloads\Kocu.exe
Filesize
1.2MB

MD5
3364a081e4fcd8fe60c3d72e692cc24c

SHA1
4068a16933b79c11a6e4062c14cabba46f82e609

SHA256
cc3097487eca1dc6160286eb3dd96d92bb4d546f6dc9739c7a0e6dde21336942

SHA512
a7c25f9ac36d31f02c0ab8022210c8e85f119855f299be7d162fc9575b9343a7dbdc0ab61cb40492f78db37cd1cd30a8a586a1ca7daae09b27469bf0ba74952e

Download Submit
C:\Users\Admin\Downloads\MIYe.exe
Filesize
186KB

MD5
84a720652e60094669511e4f30b1ba3a

SHA1
dddb2c0c0e88ff573511b55eef299969615d3751

SHA256
dadbdbc728142fc808117933158496113cfd524ee208295a5321c58b081fe269

SHA512
245104bbb1960566b45b202b3f3037f5f9430b60cbca2ce7f2d895694a9e0ff3eb0a43f21facf7eec9757cf83509048f0d6456eba01efd9f82104817b1109e8a

Download Submit
C:\Users\Admin\Downloads\MUoa.exe
Filesize
200KB

MD5
0832a0f3d69ec64be76958794b2f6191

SHA1
7b4ecc79c8eeef665a589948a0d5aac857e07f73

SHA256
e4f65676b65621f2f4c0ccbd642307bf7da80618106e169628f43b28c129148d

SHA512
947a924da1194aa96eb4809205fca8ffbfbd0ae3b8bcdbfccc792e102b9aa2afafa1564e3d3a5ceb93d6e0c5cd63b141497a56c77cd56e42d18baaa90f0eca04

Download Submit
C:\Users\Admin\Downloads\MYMy.exe
Filesize
193KB

MD5
e177c427a7b8b8e023b82b473b6508a5

SHA1
32bae9c7df80438cd669a16eb23fa776d27fe22b

SHA256
4b444337523178da78adfceeee1c9ebaf5ad28bb44eb2ea629d925486f16ddde

SHA512
4ce86711f8c7b6ffc42eb8402921cef6f9d40dd445f6780af8fe68af4fb30d0723cadeb883a241c5dd458e3ada3f27ec80745380c4a8f045c151a2a8ee058933

Download Submit
C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\OUss.exe
Filesize
410KB

MD5
3a009b442a418c8fb1e6801ee274acab

SHA1
cfed9ed85dea8bb8ddc68ab873b68a881081fe21

SHA256
8321650f935f73ece19e53ececafa72a607b19a73afebd0305b3e76ebd496fdc

SHA512
45aed3460b6cc36b188cddd36deb3a0a7e42482ec2ce9d55638ca07881be2bec10efc23399e42106cd4d3381fa6c11d5d636ae6b218242aab9b4961e886e4131

Download Submit
C:\Users\Admin\Downloads\OYYc.exe
Filesize
213KB

MD5
7ac38d72e8c255247bce62f716ed5436

SHA1
82b59602d0273a572bc551244c6a7e602afdc099

SHA256
c3d1f513dae28663e9b7ab22ff637884985b36afe4d8fb4ac773b693ccab95ef

SHA512
3670bc96dfb83a869bc4bd13ae931fac1e75169b82b18e6c5caef420bb8cb735c80593a102364b22b7fa7d42c1ea2a9b6eccca16fa19e7e7bbb2e2b3cda23bc4

Download Submit
C:\Users\Admin\Downloads\PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\QAga.exe
Filesize
205KB

MD5
302b55c60816427697f104143b26f8aa

SHA1
aeef629c18175cc4736415c99d9e931d1e66691e

SHA256
cccd424266b548ad0ac693f13cf49f8a4ddb5619bebf6e822243d84345186ee7

SHA512
c16ff6bf8851dc936f3a749b85aaf10c8591bfe96f8694e71ad1d3150db4411ac9866bc7dfdb866c8d14a46a673162bf269862ffed4cfd19523902ad46a80576

Download Submit
C:\Users\Admin\Downloads\QEsG.exe
Filesize
189KB

MD5
3270c214169bcfba244887425be189c8

SHA1
6ac6691e6487f7679469e566376dc7fde853f8c2

SHA256
d2c08839f513bad31dd90a83409a158d4d1ea94059ff77ae396b8be6ebff601d

SHA512
4ca5e5f830d3a1494041fc000492a966014ef35fee268cc9cee9558153406405ebc0e8b1df4f6b2a3b7a614bce2eb919f47a6e19b0d2bdf991d6fbe5a6cdad37

Download Submit
C:\Users\Admin\Downloads\QQgC.exe
Filesize
202KB

MD5
b77d426975814b7bd50b09d6d0ef5e4a

SHA1
3c1193caf2c7fe595d88be28aab716d69cdffd27

SHA256
30bd6abbb8fc3e995273c2c6ad9900326ead245d9fb4de8d1ee24e5b7e131e6b

SHA512
3c79ad39c2a1716d9945ab8cd01b14937cda2721169b87a6ac9dc28d7b2913e3c058cf2c06025c2e05a67ce5d6e88f265e7a32c768e8908b91446eacb9379577

Download Submit
C:\Users\Admin\Downloads\QgcM.exe
Filesize
194KB

MD5
bdd8b4224ec62b0fe3b53b93789a7883

SHA1
11919ae3b1d830cb277175a01b8d7833e5edb1a8

SHA256
188d1cfcd62c94c6f75d2cd2a2a27720fe4d24e5a6e0971b656b44857f381215

SHA512
ccf7be72644984c7c45d6c63942f4d48b33247cdd2351f362dd2708a08243ba245b92dd1e932195472ecea7dbdfd878e716960139ac3ea3e21a51c34e53d2422

Download Submit
C:\Users\Admin\Downloads\SIIe.exe
Filesize
756KB

MD5
34c93f5268fe24be437b9e69834c2fd5

SHA1
68de7c697a55072e1b12f3c11669d354ff5be91b

SHA256
bbf98764f6ee1d4c1b3bd61cdadfac61bea9d160c0a0435889f22bbd640eaec7

SHA512
4a69ad285009c86fa3762829de7331ba73692ba4897fe80aeeb6817f3bb8d1b00a3dbb7bc62b525ea7d0b348a05491121d99676abf18b835e1af309b5be9df4f

Download Submit
C:\Users\Admin\Downloads\SQsi.exe
Filesize
6.2MB

MD5
0f195be436b146ec3593bacc65231c10

SHA1
d3cf099227ea520b02114c670aea7f60c1bb3026

SHA256
680fe0ccb40027917b05126b296b384e74619c678ed9b25adc35bfb272d9889e

SHA512
18d07396cc5c255d26ce72480d32dca02e6876429c22b8073f3d082d8bd1daf7f70f4dc3cc32e1ba4fa31928aa8c9313ef0aec9b35f0cbd09170056229153c7f

Download Submit
C:\Users\Admin\Downloads\SgAW.exe
Filesize
309KB

MD5
a97910d52c4f8e1ff07b8bfe99024090

SHA1
02c2101fd07aba001b875a8efa72aaf1a5a7745b

SHA256
8143706540a5c1eaead3e3ab32d45e5bf0f4e6367ea70ae6033f1f44e39e7c98

SHA512
6ffcf2eaa1ed2c8e1eb24e0148227ce4b79e60e2d42ba360d97227a816713a0b588641fd75ff3263b5dffd91c2d6da5e27a582f1030f09d34a6071af667f300e

Download Submit
C:\Users\Admin\Downloads\SwgQ.exe
Filesize
205KB

MD5
00f643e3cf153257869fa688db9bf4d8

SHA1
2f2242162ae8f4a6888332e20cc86de9fad5ad9d

SHA256
409bf8ca352b9464f511bf6263d4992e69616c4364afb7f24afa33a769e71850

SHA512
d3ae5889d545ba5a1be27b69465ee7b12994bf22c8a130571a368bfecdd974196cfa9a4bbb97976561ec317ceb45ab6b3b5e5ad9514c1e3613c29586b76f95f5

Download Submit
C:\Users\Admin\Downloads\SwsI.exe
Filesize
204KB

MD5
d0bbe87cdc846e46da1b7f9259297ae7

SHA1
6b0af82e47bd33077e599809de90b5d8d1eda711

SHA256
a5f897d4b6590b736492c64ec8ddf54c9a2544c539cb98dfa2f0085ab440a3c5

SHA512
92d3f46b7566ec329842ad60bb1f6fbeca47af7e506e6f2b09e03ed4f55eded274e8f829d6c82b25f4b4671f21c30d390b80b884ce1f9bde55fa2df6052afb31

Download Submit
C:\Users\Admin\Downloads\UAAA.exe
Filesize
199KB

MD5
c9ce0624cec65724a17a7e188693e71e

SHA1
ee59c49bd3df0f827349da6dfda9a61b18356065

SHA256
154e80531ba632bce0eefc586bd504c761558b9c60e276d22dd704892c8396e1

SHA512
85867e3e8e5bd13f2168a40830eb93b45221866d5568b78496c412c44ce11bbd2529a5645f115ac08c53dedcc7207f4c8825f16a2c65a080a5e52d4b2dc3e5be

Download Submit
C:\Users\Admin\Downloads\UgwO.exe
Filesize
182KB

MD5
10fb22938548867220bdc09d88c8c905

SHA1
2c1019a13c75ea75601383470b2713e5c79f8bdf

SHA256
992e6ddfbd489f32a03b843d1d60cafc2cc61c5e0460bcee42f7b6e6ef4384b2

SHA512
5c4c1c2300314f82287a1eb83c35c5d002a37dd7be3431ce514d8d9468a51125b1c42438926920f0d967cc0cf27440eabcbf71484ee4c0652e2bef1e1731d775

Download Submit
C:\Users\Admin\Downloads\UkQI.exe
Filesize
197KB

MD5
b4374dcdffb9632f741a39acc92a1afd

SHA1
caa52affee910b25817664c159223c5379d443ab

SHA256
5c30a5815e3d435be7e2a8d1e676fca598be41a8eef546a7e52afd0831383551

SHA512
fb5005680377fb6afc846336db83ae950a81cf9f62a17c067efe7479af093f011b9aaf7f5e9b110b14c426954f492079bee2041539e9abf0b5cd4430e9a39312

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 630903.crdownload
Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 776309.crdownload
Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Users\Admin\Downloads\Uoco.exe
Filesize
195KB

MD5
c027fada824d7cb825bb14e560bac475

SHA1
2b88795760e4f3431b8fbcbe52c3dab2cbe85af0

SHA256
0870c0bf5fdfe129c0ad9a29532f5aa8daca6c50ce3bf6763d522755090e96f5

SHA512
f74918fb6fddf05ba2b1d1ca0986c9d13697bb8b803f138f482b0f580e7cfbf7801006c088d58f3754ef1470ebd7d5662dbd785523fc651cd5e84cf8004b1dc4

Download Submit
C:\Users\Admin\Downloads\WEos.exe
Filesize
192KB

MD5
9839b629d262542892c89bea0a012020

SHA1
9aab93cf0e45ef686a849fe50ced8f965eac3642

SHA256
d83c7c9f9a0d7a719bb7ce345ce8ad1aeeaf871eaf30d0f7fe04927197468c39

SHA512
902a5aa523357958efbabd10b972c9eef9abb8cde79d92d2b3b3080dac4442dbb467580fe424583561bcff2692f7788ea5cae8722db40e1a0c3e6017d68a9f75

Download Submit
C:\Users\Admin\Downloads\WIAw.exe
Filesize
580KB

MD5
4b9e1045779131df3f2139b4650f0e16

SHA1
4e3297991b67527231b7a5ddad1fd40d5ecbd067

SHA256
f1dbe331214eb081e19d7786392ba15db10d5a6044232edf90936aacaf7c10c0

SHA512
97341214d71e68fda187650b71a0f3c5ff0c6c15abc82c8383424c93cdf0cd563f7863501485e12709a2795a9afb191d0680d16bd10828f918b34716f3f4712a

Download Submit
C:\Users\Admin\Downloads\WQwY.exe
Filesize
197KB

MD5
656517c7a241089ef3905ce5dca0fb65

SHA1
972f6d67968ccd5e983a27c9f52a4cafeeb07fb2

SHA256
b0c674ccee1d180026a9e589f13c34cbdb3fd4d5a1f42062e0039ceae06e0c84

SHA512
d7e1c4aac106d952474963e0ef6a663fe3405f90db2a337f454a81db3eec3cdd8153d3493fdc6e74f1c25898a88d252e29ddf37d4fa5eb96f15266609944c062

Download Submit
C:\Users\Admin\Downloads\WcAI.exe
Filesize
239KB

MD5
fa432af422020f5749e5ec5b7590ce23

SHA1
8910c2cecf1e29a0bac227e3be87ec6657341200

SHA256
a468e990d061e8f1c6a9557c8e7da97ed19c26ba348821ed6132bf5db77465dc

SHA512
71c2817ba301b5b4a576fb4d2f3182b8f1e114734ca57bb84a68221a4b36b4189231452832e78f5de2f68e0ab9140341a51e2048859748811aedf2a5472ebea4

Download Submit
C:\Users\Admin\Downloads\WocC.exe
Filesize
206KB

MD5
ad7e61872a16e0fa87774d5cf111facb

SHA1
abc98c96df211c6022cb9fde1fea6fb9ee73ae7d

SHA256
a415083836744d4addddcab5d4f6d12beeea9971bcdffe743625ba88a0d9edb1

SHA512
0da13a313aab9817e46e5dfa8795805006334f96a7f32df5f4a28f1a0784d0bb8c9f666968aa127bbf2404f350220f85b7012bc104508dcc6813adbed160c4e3

Download Submit
C:\Users\Admin\Downloads\WsEm.exe
Filesize
219KB

MD5
feeb74e7357156251e003832d5f283c1

SHA1
578a2fee149e9fc68d035b321cda9ebc34c3729d

SHA256
4f8d686866fea232b385077e8a7768e365faa3134bb0ec358a4c10dc245ab1b2

SHA512
f1e6e470c034ef786e8efa0e0e1e76d8b7bee922d1d28fc64ce959bfb57aae587430b94caffc03ba03a99b70a7820e2683282c51bcfaa6a613d5f75e7bdf2a37

Download Submit
C:\Users\Admin\Downloads\YYok.exe
Filesize
6.2MB

MD5
50257cff70deb704f2d13b3dfc817fc2

SHA1
49486f320a5166772a1b3c6c0aec6dc533212b8c

SHA256
8f04fd17b6089f4149d0c87b2f7e96effb2e5921fb1ffb82c0fe38be44aa1571

SHA512
3800cf9dea24d018521f9045b402fd620f16fa8be2051b43b901d5be8ddf5531dad3cdd6d80715ae93616991136d67f4d9415938416c8c4001135a1871cb08a1

Download Submit
C:\Users\Admin\Downloads\YkEo.exe
Filesize
629KB

MD5
9ceefef0739732543989fd1d2a790e5f

SHA1
f3b9206e39823c10ee37c4f1aa8a7c432f29d6ac

SHA256
655033fe088a00a2f9abdf40c4f9ea596ec8738b2b2424c94d4b347e2109bd2b

SHA512
a28c97398fbbb20d65900dfd726f51ee4b86c2d5890cd298e9379aeeb0cf2d3f20f34b2447b9be41091d24feb3c3f86ccf72f50166a049e0cd3427a413e9f4e1

Download Submit
C:\Users\Admin\Downloads\YsUK.exe
Filesize
227KB

MD5
787fc5b45e04facfa3f4e479798808a3

SHA1
3d6bb8dfed8b99fea97d3a6b951edbd886845294

SHA256
029d5c2d4fca184f8d1eb3b9293c0ec0b0e22e9290a8ee92b44ebcd7093a3743

SHA512
dd42cd35d722f7092ca3009d411dfadf65df02649aa964eb2ed1bd2115be691dfdcb08a31cbd76b818fa0c44e2c405cbbf24c0ba5c0df793cd6c960a794c51c8

Download Submit
C:\Users\Admin\Downloads\YskM.exe
Filesize
199KB

MD5
7ca7b1dd9b95533f2cb9c085e4c0ca2e

SHA1
516ca741d224abc1d13c1051d488032266481878

SHA256
132fd8afbeec25988c06fcb0282c8af90a67f6e10925e4d7e9826d0f8741100a

SHA512
64af59246305f4e3c6b4e3bb4b2cabcd978ce825c7537acac3b0bde80ca5c1782951c0a06c289600d4194ea0b6372999934e9412e98efce386474d706782a961

Download Submit
C:\Users\Admin\Downloads\cEsK.exe
Filesize
188KB

MD5
17fc9735a2e2f9f0f446778663d0fd23

SHA1
d7577634df85676622a4ecebe9267a439517cc7b

SHA256
51b38738cf685685e3e3c5bc36eaa70ea162f8d7d5dca6c928ed823797c5c1b1

SHA512
cd69d1bea5b2ed1a9ac3ed35bb11010fa36299f0a693005eb9e0bca83308734949fff9ecfa387e9024410ba06a27c3b752189b8c32e5cc1190183c53ee672723

Download Submit
C:\Users\Admin\Downloads\cUUQ.exe
Filesize
915KB

MD5
12a1f777e6c677b78abf985102bfd3ab

SHA1
df62cae6b2997d8790c7e045bfe06523b7d5d684

SHA256
0c77731c407040bde27b36d410a0157ed0a6a57710dacc56abffb1feb90e7ac9

SHA512
73c6e47d853b94e6ed3e1cfb38736bd7b2ae17250614f6c56f11c1b620d0b99d625942a686dd2201a8309528f788e7832d4d7200946b18dcf1cfc811cf4cdc18

Download Submit
C:\Users\Admin\Downloads\ccQK.exe
Filesize
204KB

MD5
f22be3824d4d71b0debde8570abf993d

SHA1
e01502eb7da011c74a44d34f595440f0d49970ce

SHA256
f62ad08ef343c285024b55ed658c4e7f983cb2a6fdc568fc58a162740a1371d3

SHA512
e3fed57ea20d84aa5f7e383f7ae43124f67998f2e02c00c75b18ee4fa2a19ebd0c101e8acf81a4312bc09b5a36ec28bb62dc9c32c6e9660f38ca99088de54bfb

Download Submit
C:\Users\Admin\Downloads\cwUu.exe
Filesize
190KB

MD5
42a191ccdda44e9dc9dcdf3addf82be8

SHA1
317b78d5dbf07129f38573f0ab37fcbd945b1b5c

SHA256
59d77abfdb1399e73fef01262ced125a390f30251e399b2f54be22c279228957

SHA512
be487a01e362375dcf7cba91c55ad1ac90b2aeb6b614f91e81dec8181d149134d9395e783cfabd44602ad2c7055a4cac2ed2fcffdc5fe6e7ad3ebab53faf921a

Download Submit
C:\Users\Admin\Downloads\eUYw.exe
Filesize
195KB

MD5
aafae3991d15486e471343a71700d020

SHA1
de4d6bad27ba50dc5126dece6c398527f198e420

SHA256
b09afe8c3f964d9c93d3ff36d2d840fd14fcccc1ce3fc17b62f0dae497da1bdb

SHA512
4c5ddff12fe1ca00234cdb35cace2fa3a85272ff77a4ca5c239f042b36995cf80d5fb975ad626d04c5bdab1152b4138318b2de2edbd762b9ebe3129a1fe0a6f0

Download Submit
C:\Users\Admin\Downloads\eYMc.ico
Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\egsk.ico
Filesize
4KB

MD5
34460862c89281546603585eba87f992

SHA1
c00e6558b839be12b54316e87116042454cccbd2

SHA256
bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620

SHA512
b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67

Download Submit
C:\Users\Admin\Downloads\ekcM.ico
Filesize
4KB

MD5
1097d89b9f8ffe7c92f0574f4dfbda3d

SHA1
b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa

SHA256
0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1

SHA512
cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

Download Submit
C:\Users\Admin\Downloads\ewoc.exe
Filesize
191KB

MD5
f5cf04af0e19bd6053dc6720494b8147

SHA1
763859cb197f8bbd781ce737b2836e251f26e669

SHA256
21e9ff17f574f30ad072fe9cc0c7daa7244b6e10aede4c24d5f52df69b3c7be0

SHA512
18495fcc75fe3263a66696723c9f42bdcb960efbc7d1e3f05229cc6c126f61a4f3dcf6329f980c742fa4ac6e3ffaf1bfe64852899f72790845bb88d083860df0

Download Submit
C:\Users\Admin\Downloads\gEIC.exe
Filesize
203KB

MD5
e506ff4a7ee9395bd17bbc29f2d4d443

SHA1
e90dbb4ccf77e8356d5b913ed0f5e56fc9f61e22

SHA256
77ac7010e9d8d1eb1176cac564866b4c69a3e6ad7f1c4811224c94267827e5cd

SHA512
516f7d874b4191b61fc0cf889b23f563e80d45ab00f9b3a52770aad13db0799e5ee05342a6c67edb09188fbd2b7df04a40d3f10d103bb0af22b1ac0e2ca42df7

Download Submit
C:\Users\Admin\Downloads\gIYC.exe
Filesize
1.7MB

MD5
a5f9519da0fbc41f3890747cef513292

SHA1
8d0c562f0b6ada6e5d2cc76f492fe23f54c6fab6

SHA256
f08ac76a0d0791ca4814d4d588028ee4fe95e275647087c9037ac2488286e231

SHA512
3bfcfc4d914414a96bbda2db7143cc8c8bad1b17d7c3112a96aa29cedbedb00267094fd1447b1e5e155b0f31e6451ce41528169b157b48dcc9e977d313c6aaa8

Download Submit
C:\Users\Admin\Downloads\gQcm.exe
Filesize
309KB

MD5
f944ea5d48c43944742cb36c0338c112

SHA1
01ae48225ad568a177b534a1a29428339b4f5c69

SHA256
4c6b416d4736ad1a0268aee267bd52423a50070306fe453b77c6b279de4017bc

SHA512
6c128c36eed222bb3b58103e6a020426d2e956c904e35b408a5938eb7d1e9932f33ed6b05e7178df2f66ff299e6e129c9628d58d9544921e58cef9f2445a15fd

Download Submit
C:\Users\Admin\Downloads\gUwe.exe
Filesize
975KB

MD5
b6e85efcf0dd66dd699bd793a397decc

SHA1
db89546bd051f9131549fec5412107ee2cf94cfd

SHA256
361157d0ccd5cd12bd2ac60fa14ed9f94ee4544d3a37e1872c615784d99a6e4a

SHA512
6a98f2ab3615b929b7da6b500c7d1b0f63859956f45c297dedaffaa27256813e9d79be3777123240c480307ebb8608d7c674a266fd230d5e2185a2a7eb72ccc7

Download Submit
C:\Users\Admin\Downloads\ggUC.exe
Filesize
814KB

MD5
269eabfc9bd1ead8f19fbd22d88ba9b1

SHA1
735e09dd28bb25498dd29d006cf1a5401be6aca5

SHA256
3a7fc6c1365a3f8db9faa703c863c4fdf75d0940b477847a7440c7f5b6aa851f

SHA512
d5f2351c30f42a027541b005dbb942398071c598bcd69bd1236ca0e2a8cdf2319fa71d94884f30d5eeab0cef01a5af8020e32f2e5c1d2be9a070dc0b482a790d

Download Submit
C:\Users\Admin\Downloads\ggkM.exe
Filesize
192KB

MD5
2f70d8365ab4a4ea67c7114340f98ee5

SHA1
285fe9aefe7cc12d65d85f748c744d5c05cd9422

SHA256
3866aad34133d10e1a854693edae35964fa0f30425b235573b0fb5cb4e0e2cb2

SHA512
ee36a8938384d7cbde92945bf16155c19833564bf49aa0aa2a34a7ef537f3b064c3e75b1429839631c181e26baa626002688b0d612fc2f4e2a00ea2b94cfbc65

Download Submit
C:\Users\Admin\Downloads\gkwK.exe
Filesize
206KB

MD5
0624a92ea3ab0941bc0d8e32782f0095

SHA1
fedf87f429a1808b4740d6d4ad51de0c6982b2b5

SHA256
0695307edda98c533bd9c694999b12c62f40a1187ed57a4d48d83f79f1dc1799

SHA512
e8108e0216c496c4381a508583ec0685aba14ee53ef176a075ca51c985d2dc523bc7051e13094bc573cc6b6d40e5669541ad2e0d0c7a41a7fbe318a6bc384217

Download Submit
C:\Users\Admin\Downloads\gwcM.exe
Filesize
205KB

MD5
82937b05c626d3bbf47357803d2561e2

SHA1
b1a000767ce533c038cd364e5791603657bfa056

SHA256
343c5dcd9fbdbfb7006d0686a1e7f58652d58da1f365386f27a118a7f997bc49

SHA512
30c107239263924aae2e1965d355768a1baaf6ce097b0ff35d99625e54bb9110cbaf37b68a780f03539ba7781ed924cdb6e88f060e891eef2d794f1fd1dea759

Download Submit
C:\Users\Admin\Downloads\iEoY.exe
Filesize
192KB

MD5
c48d7c896dab641530073af27ce9d849

SHA1
03d230a37db4f2c227a87a1b2e425d96b46014b1

SHA256
bfb9e15ea53ed1500deae9e8fde3905a73b0908f957e6dccb12a4ff53f7d3d49

SHA512
ac3644b22b2dd1fb3a76da2ded22f4d1862caa6e347460506de5309acc2f2f1074004e2121432f3204d27a713d9cc4ea361a3b13c2471305c779115a7048a9dd

Download Submit
C:\Users\Admin\Downloads\iQMU.exe
Filesize
224KB

MD5
7f5ac095024c3a7adf55589ec4e2a87c

SHA1
b47c83cd719f945d21ccb2316206653c490fe4c5

SHA256
6d538b65432d75bbf233908c6f64c47922e9cb3b9401134d0080fe945ff23ddc

SHA512
b632ec5c9649150c19b16c17863716d7cd66c03c60171380095045ef63202ad7fad33bf5f2dd363eab327b5488accb0b41657ed522af9922241cd149ce7a0c67

Download Submit
C:\Users\Admin\Downloads\iUUK.exe
Filesize
222KB

MD5
9c87f43a0e02d619f2f066947d03877f

SHA1
b5d5a58b32ac33760b3d703004d1a793a1a29b5a

SHA256
11b012a7cd25715c4d0f1f1bc8d2af6ae7af78a871b0b10c1850a153d8b0d525

SHA512
755e04113682725396b664f4d39c4ee0d52c1894519281936302d52cf47850d102609094813fa8dfcde3caec6ede39c2ac6903c9bad8c1b4aeb9ac92586799f4

Download Submit
C:\Users\Admin\Downloads\icsM.exe
Filesize
270KB

MD5
209cdd2f9ccbc1b0023c6fcda3c9a4fb

SHA1
cbe1bb976ba251565bf819c3796d87e085f31836

SHA256
f39d060376b6aecde86a9c1e3003446f85166d72c225dfb37573f21596f32152

SHA512
fa5aeefec10ee56c5a0bf6f9e0c76075abe2965d55f0c03036d282305b6676fe1a0a5a9106a8b7b174304749f2957e8becfd6112237e4f8439087f8f15cab8b4

Download Submit
C:\Users\Admin\Downloads\igAu.exe
Filesize
223KB

MD5
6433a03c8488fb6c584259e2ab6cae95

SHA1
ec07a67b5ee157ea0bf668ffb37f3ad4bd93f417

SHA256
774b95f7bd53c8c4d1f035f23abaf105e6258f25e577dca3b9f8a47c5f11dc38

SHA512
f55d01811678669bd27e574abb2b85a9adf366880e2d334c959794947ad07cbafefa91cfa01a21456be2d907c09ea87422763aa875c61045b62e7d806db0cb4e

Download Submit
C:\Users\Admin\Downloads\igci.exe
Filesize
195KB

MD5
2479f9f27383111f6e8ed32a450fc5d2

SHA1
b55897605d813d9e59b06417a89600a0f150cd48

SHA256
131e7136ae1219a6dac643e3071b1a0293024590152aebbb1cc9eb6ce7df362a

SHA512
41b2601bdc73431df992b8eed0cab7a707b12621d7b902dfc13feb5fc12cee7be1fdcff759930903d69e09a9f1ed611ec295d690141efcdd00d34ebd4d1407ea

Download Submit
C:\Users\Admin\Downloads\iggo.exe
Filesize
188KB

MD5
5dbc51bcd98ec00913553370d833dfab

SHA1
bfd136d0705ba4630308938dfde7d12105017c0f

SHA256
c73944871121cd9c0de605afb97c42589fc02861d0a3abb65fe85378101f4375

SHA512
2e3695e5dcbb6251c26fd0ddf2555548ee3800b26fdf0453a8252c0f996c7a27061295e59754b9ad741509208c815c790a0778fb0739a63fa2b92e1bc75a691f

Download Submit
C:\Users\Admin\Downloads\iwIu.exe
Filesize
188KB

MD5
3b447431242f112beb9f3eaf1c1770b9

SHA1
4283d5ac10e7a575ae89fc41cd9b49875c200a78

SHA256
4171c6502811a5e812cf3e2589a33248d49d705c33bf37258035a2dcf53e26db

SHA512
261924de5ebbbddef9a9c6b354d56865563fd9b5532faf75ae5c15b6a33eeff626b2d99b7b3be8c0c4f021d48d65577e0cf22b205e1ded1dacc135d236c68208

Download Submit
C:\Users\Admin\Downloads\kAEs.exe
Filesize
193KB

MD5
2c6356d47c657da4bdeb77f5c705d525

SHA1
fbfc8d4f5fdb7d452e59e999d1ca5ee5113cd87b

SHA256
7dd4a1947599740848ac345bfe2e26e22a08c90e93e770f0019487f2602f784c

SHA512
4e9d648261c4c39cb42798ff57d6300ba583290b061bec23b8467b2846db38bd80b8f05b7e9461fa5bc41ddf3805acb198ed9f47cd6b8dfb68bfa00fd4b8e13c

Download Submit
C:\Users\Admin\Downloads\kMwU.exe
Filesize
186KB

MD5
f30a7fc840312b5d61fd347c23ace71c

SHA1
9e8cdec69416a380fdfea047e11404baa636834e

SHA256
5e367b60ad939270ace605761bc5c0a70e56a824f9e2447a74091283209d6ec5

SHA512
17ef48e24202cc241200227b650581350f1714309d2b3f1e77dc907e0471828344f308b6f147b62513f4e8cb35c09c7057ce93078d406c404b4b0a2892a55deb

Download Submit
C:\Users\Admin\Downloads\koEk.exe
Filesize
200KB

MD5
9d33f06be2573267d2d6239acbecab40

SHA1
3c0294359882677443758811f5af25604a2d55ef

SHA256
5a470e687364210688b7aa1e8c22a13303a43ff2b610305fc96285ce6325706d

SHA512
d722cd94a699d08b676d624815592bb09f4b68ab05e9b7824f28e9acdb1175098a8fa2ec6acfecda0119c79937b44ecbaa000c1439868ea16d91d2008b8a491c

Download Submit
C:\Users\Admin\Downloads\ksoi.exe
Filesize
185KB

MD5
20e1dc28565e4f27d79aed752e77e1fc

SHA1
e351365fbfd5ae95ecb4ee88cf3906311934b740

SHA256
9a56c9f5391d2a4d127ccaea74ef514e752c87d40464ebb494b194f9b98d1cf7

SHA512
90362d3bad3f8f2f663d64070246a16f63c5ac4204463a6ea84bed580adf87f6dd977f75858d0ef81a65b88e067fd9ec6b47801b16820c0ed8b3fd7cf8be854d

Download Submit
C:\Users\Admin\Downloads\oMkq.exe
Filesize
197KB

MD5
41be7f11f6567469eea00cdadf4c0154

SHA1
97a14fc4766f592359f81461620e44721408ce27

SHA256
14006b6ab3d5d3d32f60b5e67ce6cebd23d06e6558155a1b1714a8de9c04dc9a

SHA512
e43ed1f3f44a6cadf5a5ec004fe92a20d28ee9fda52b14c0bb656a32a434188183bdf08ce30880b959ddc7fd3cc4e131b9a22425cff2fe3d770f66aaf264c31c

Download Submit
C:\Users\Admin\Downloads\qAEy.exe
Filesize
193KB

MD5
9cdbe8f26cb2d6a1eb26a99c70559ce4

SHA1
c0820aafb45d15c57d7e357bc17147dc0bf09b78

SHA256
eabb8bd0391f866cf071db2c05f6a010600533239f7f7f198f471a46359a469f

SHA512
c9fd027f51b2d77389240732ae9353d477624df8c8cd31c2d4d9b6d28f1b775f05186410983754b96dfb847d65f6fab0c0d9f86b6741fdb05f671aaf270af3a5

Download Submit
C:\Users\Admin\Downloads\qQok.exe
Filesize
806KB

MD5
3c8ebb0ba17580c21f7867b1f01b6ebf

SHA1
6afb677806b860c8bffc43703c1b17f032596320

SHA256
db7a3628c4cfc7cd12903d96e5fb65c934cb6cfaf8f958e6019166f436905f37

SHA512
2171cdb43f8cb5dfdc2e1be8cd3687a8fa612293938d0028b759ffcfa96ab70667c611fde9e469fac6130a4559a49e4a447a4bf59cb0cb3dd2c3723a1623ab21

Download Submit
C:\Users\Admin\Downloads\qYAu.exe
Filesize
642KB

MD5
318a95c420debead0283a02fac4e5551

SHA1
04b34270bc095b8c5618a39715e290093bfd6878

SHA256
7ae7c0c2defa664be253d5e6950cab4d9e69efec3e2ae1f4fc8b4bf536a8f579

SHA512
cf8a777d0c67d07eec13ce8cd7a7a13cdd3dc1923ddc2d3f6aadb32c28556afcc2c22ca5d9b1e0788501af54a9829ef98f02af1d9c9428a526cbbd594348a991

Download Submit
C:\Users\Admin\Downloads\qgoc.exe
Filesize
201KB

MD5
31e15e54322714a5f6a28e45318cfc98

SHA1
cffc1007c60206ac8b09c05378b99cfc4e85b0a3

SHA256
db59e3700c057b16f1e42cde21282c67de7bfa6016c14b0784b6d572f34bc32a

SHA512
47fb058dccf99d6db0a62f93283b5d9d02bc2e0bbe0eb586b3dfe844de373c8949dec9403888d6a6337063d251aed721a786b4d3e82f1efc8d90c0558d35b238

Download Submit
C:\Users\Admin\Downloads\qgwe.exe
Filesize
835KB

MD5
7f4aa682553022f7c5a946141a975266

SHA1
cef241a962033ec2a1cd06dc6190c7b217222794

SHA256
fc8b40ac30cac3c9e4f243b2650224eda909ace1bb2d7f8e17fc2e8430b85a47

SHA512
39df2fca9eb50f7a33389eaf2d0864633cac0217b33bdb0f5ccfeac3b5cfbd952b16a6ca101fa7980c5a7699c91b0f930d8a15a2fdd443c167d745321d534cca

Download Submit
C:\Users\Admin\Downloads\sMoe.exe
Filesize
197KB

MD5
8c29a644d3f352894fb9aed8b58021ed

SHA1
226b7135c1bacd2ef725a4cc5a5f8c7032a22a7e

SHA256
4f9f58a8c909bb4353883e85cb3b156fc2e5db08c832555a87ff29b6a6bfd55a

SHA512
01ad62b4dcb4be2d109658d346c390363c65a1076a07911bbdc8733b65c32c32afc5629187f3b4b328e469267a21431071c7a982e021dd6d71330c6686bf662d

Download Submit
C:\Users\Admin\Downloads\sQYm.exe
Filesize
852KB

MD5
f03cb6a5cb2b727c3a92529a94c9ba3c

SHA1
a43d40e63cdfb3069397d1b3ddfcae6a938e5b9e

SHA256
2cc619e08f8f717736781d884256175d1293e6904239cceefe26faebe3b4f5b3

SHA512
7e1f3ec7c741a773f2982c6b9870eb4999cbd7b60614e83d96db3ea58287be6f7b112a179de5af47f9287b4bf1f626ffa67a7840d718045e9bf46a4bc1701614

Download Submit
C:\Users\Admin\Downloads\sUAi.exe
Filesize
203KB

MD5
e28a8f4cd56496c60f1fb9875bba6d29

SHA1
c28385a0028b17bbe4997e944ee2d263f8f5805f

SHA256
2c3e5a958c18687fe4dc46cdc92b31f8400bd71e3f137900989bc63593ab808e

SHA512
ca5281693be180cd07963501577a2ea41b50f4a8d12bcef34aa6fdf1cf6826cdef9e56f41101ccf697fd9ab5e5e4503538b0a219503740c5946a40c53e5a362a

Download Submit
C:\Users\Admin\Downloads\sgEc.exe
Filesize
189KB

MD5
adf772eec60e21324bcb83facd75eea7

SHA1
b59a6679cc5498fcf0d03b1c844bd2b89c299044

SHA256
28d7779fd9ab771d380a51dd2c0d5e32bacd20d0794008b4d6a67389f2c2ca44

SHA512
f28364b9827a97059de8b594669b42f443853ac314c09c78686dc6c15e21932badc427b6aa2260b6a0a58c9f12a17e9367b630ee8b0f624d67d508ceb048659e

Download Submit
C:\Users\Admin\Downloads\skIi.exe
Filesize
632KB

MD5
dfdcb713bbe39469d91884e05870171a

SHA1
48d4a892997c86fd4217c47c353feb26a6bc6be0

SHA256
408360074edf0388742cde60f89659ad7333835a95cad217a3520b1aed0c4e64

SHA512
76b775e41d3d252449ed2af78672735efbb0bc7d67b6019604bd4c973e808e3b6ec545335ee606c89771b1dbf47f710bf9c8e16029ef06003a69922405e908bd

Download Submit
C:\Users\Admin\Downloads\soUs.exe
Filesize
195KB

MD5
3089d8b0b83b98541eff0a6c08603fc6

SHA1
4abab57478d6538cfa36ad275d6638bf024ae73e

SHA256
72c73ecc072d04adde2448924d233f947bc72bcbf9991bdeaa4f9c2769fb0125

SHA512
01c4850ab9a579e9a5978524de36926857365668dcff92972adc4a694e9b415653693485838eef58d7833981e53bb10e5f72796ddc3b76f953e02d7a1a928d7d

Download Submit
C:\Users\Admin\Downloads\sosW.exe
Filesize
6.2MB

MD5
764797e0ac436e064c4e7d194c994092

SHA1
42c034a7a78d35f9a8a7f06a88ea5a72c6794dab

SHA256
e20f35aec9c01a4399672d1d65ddc21566b10bf1e55fa0ef558418952c321010

SHA512
a99de35fb5860006bfa7f10f5dda73fab2338f62aadef9d54c363269c1026faf89793651c5922e1d7b835fdc385a2b69a5534a89937904a4b2824f968be80681

Download Submit
C:\Users\Admin\Downloads\swcS.exe
Filesize
221KB

MD5
696a92a8d3e5f784fda9d681dfeaa0fb

SHA1
774b4e93407cbefb21d2472f073b0193fc3cbe45

SHA256
ba570a21eba1dc29d12583852000972d11858a3c7b2579ca8a5b8416483fe36e

SHA512
df1c01c0f187b3ccd2b9b32db1ff675a6805f708272b2ff3a3e0a0f1ffbabfa6593e0c7a364a255941b5f2d23854255d524c61149b2eac0599e16cf2a7940280

Download Submit
C:\Users\Admin\Downloads\uEAa.exe
Filesize
801KB

MD5
c6f475863d79e7903b5cba7a246c1f81

SHA1
9c377a9d876e9a9250058a618da0f747011dc365

SHA256
67187bc82f21af16cf9bbcc011256cb4f0decbf54e9e0cf8e1b21bfd057b4cb4

SHA512
b4a7d514098ff7fcce290fbe396300576abbeeb785ba4c6ce7a60643d1b071ad8744ac3a87b915a0dc9c9494012876bb536979fa34e4aa0125511e482dfd8c9c

Download Submit
C:\Users\Admin\Downloads\uEYw.exe
Filesize
201KB

MD5
1c3261aad1fa1741769e2bd94bdc3092

SHA1
ed3366483454d66d8fe9f91de6038a70ca97ddf9

SHA256
39cf907935ff748c492f5e6f2269f102015123c3429ada9b5771c11c9da078a9

SHA512
8928fe08762bcd77ad58b0f104a7aa38356b60dc774ca1148ef0e9b4dc1a7b968c835110f51fa469957fa7d1ff918c0746b72ebe84107616e15edfa4042323b2

Download Submit
C:\Users\Admin\Downloads\uYko.exe
Filesize
200KB

MD5
0ae948c2ed743f18f7622b2a6438e378

SHA1
a8b4d9038225eb00a7ee30b85be7301a18310e22

SHA256
bae4aa5a20f5588ee61fdf43166afecbde9cb65298bcd27fa2de85734a85e38b

SHA512
1d129d3381edc9c8b0b13f072534c9a53f549a158ac8a5b35906c5dfdfac771b5a1726a38d74dbcfda585251eb7b49a957fde29134d654c61e9269a5f557d9a1

Download Submit
C:\Users\Admin\Downloads\ucku.exe
Filesize
657KB

MD5
820b222f1245c5b26558f267b3253bbe

SHA1
3b3a2c8c2c0db49ecccaf7e69730678498284ba7

SHA256
c35ee773e59288e3256c23a98564994b8e227839a616cac325e8e8117d5dc990

SHA512
92bb20921b49c1e606df7c20f8f0f4bae89aa8a1de633c71972e45de6a5613ed2c69df1074f7da8c677d0ad96ff1d1167d850758d5367c3216d6c3839ae5e80e

Download Submit
C:\Users\Admin\Downloads\ucoa.exe
Filesize
424KB

MD5
f404061f324ee7228a7b79ea29080e18

SHA1
d20c9cbcd3cee3780892107c5a87802972471b2c

SHA256
00ddb053089f10c7c66c629c7faeda450e9a4657a1b592ee8a8dfdb1d7e09d56

SHA512
f36a34070ee92027d07672efc4b0a31051ebe6e883db23fc859bed1c534a0c046547ac9e3f8d4ca0619f8054d658fcf33d3ec927ad82b88166177daef7fa280f

Download Submit
C:\Users\Admin\Downloads\ukce.exe
Filesize
565KB

MD5
22f745f3275261884d9512a4114ca3f1

SHA1
f9b40d9e1c15537e7c08a1a13367c89a732d8e66

SHA256
c87a0d8dc6bb78abe850f48013e4c788285ade38cfabee145af909772c356ed7

SHA512
0492f86d38b4f9770c7cb6d4e5dedd39006bc455d07d91eaaf5c198896f01e62b92ad85b48ef778108b4b3a5c7cb330d067ed7052f262f8b8110e6cad11bb0dd

Download Submit
C:\Users\Admin\Downloads\usIc.exe
Filesize
776KB

MD5
fdf09580611babdec8053a6273c47acd

SHA1
58298851886811c705aafe8156ee816581689199

SHA256
902345ff8683eb4e78e7b306fdee881e45ed2f94fd0dda9d2fec109c09c74b02

SHA512
c3b0ee336d9db1f40b741400511a1a4f2ab23e3366ce4157dfe0bf1fab6b4823d42424fcfab1d395b7175b9b5705633f9b32b093c7371457c25c5f28c1d11921

Download Submit
C:\Users\Admin\Downloads\wQsK.exe
Filesize
194KB

MD5
9cae79cb72bd8d286db93c182c1f3317

SHA1
188e41a711f9730ef34f8b8dc4cb9a590c8f4334

SHA256
07bbc96515a1fd09a46da2849a7ecafe11367090c68e8ff1197436507c5285b6

SHA512
1d787387a4234d3a0f89b762b7109f36f9d582080c533f052b64105ea077960f7e8108527549ebe2d0c187aec0bfcd9f784a36663e275737e732fa7d77dc9095

Download Submit
C:\Users\Admin\Downloads\woUe.exe
Filesize
205KB

MD5
27dc6314ddb95ce15115d9abe15ddbbc

SHA1
de38d23e6e7d8783fc151a17d6a9abe63a4634d6

SHA256
041bc5fa007d76db0e1825544fdb71a481e27a807fb19eaae61a1e5d4c2fa6e9

SHA512
ded8957c29709353767cdb6c2f3a54372d7d367e6d141df3182e36922c5e985cd9721f1f471eae9ddc383ceae570e39a17c6da87418fbe5ef5f2b63dc32f1fde

Download Submit
C:\Users\Admin\Downloads\wwkI.exe
Filesize
195KB

MD5
7e041d38554cc61c2a4a6286dbe82b3f

SHA1
2afb8e5da191223bdf90028c09b4ae15c9f79ac0

SHA256
8053bb1ed389d4a278771d772f2d6e5240206702d6329c40fc4a9682ac389ff0

SHA512
9af2a48a7783bf9ce5c10848f91cdaaa1e89c8e8e12b877219edd301b5366936e210dc34e199a1747950943fae7161766d9119fe1f176a1f9b9d9650703069ce

Download Submit
C:\Users\Admin\Downloads\wwkU.exe
Filesize
1.0MB

MD5
a7a9a3e39054daf317b5a03895efc2ba

SHA1
7c7be32dd1a34777b1553a12768581ca45e36e1b

SHA256
a424b05bb740b6a2c035b7a8e390a1ef024d853b940caa69640133755c38aedc

SHA512
5056540d18ba7decff93c2cbf28d9528c71157e520e5685e59d1c008538bd279ceefbca3f169ca7aa1b4b0b40cf66c1f328b5b82c73077f7fc50b01decdc2072

Download Submit
C:\Users\Admin\Downloads\yAcg.exe
Filesize
198KB

MD5
a471ac95a8b6d8e9e8170f7756be5d09

SHA1
66302dcf6a5128ea6b8233782b59e3e7ede13351

SHA256
eb597d32a54cd8610b76e70687e00bc3d5d16499f5b6784d448b5ea7192ae3c6

SHA512
86dec7e053979e200ca7421389b6e6b8c3b67664383ef6b3323bf563cf6146b9254baff7c6d0569c8db8ee136f5705a1ccd1c1c67b5b189a40ec9b5c5d3ceacd

Download Submit
C:\Users\Admin\Downloads\yAgI.exe
Filesize
209KB

MD5
5b193ce2beb6ac5e29a44c3d7234f8b2

SHA1
63adc905e42c542a22e1c6efe6871b8bebe2f32d

SHA256
3bb42b470d48c68b76978056011f1a507bbd8e84e50cf58395614142bf3e401d

SHA512
b4b53eed30d09765d351b1f4c20fa8894ea5d74f4856d0a776a349b41cbb950208899bb78f014651fbe5e0c0c9d5ae97b481aaccdee4c6a5c077d4969f60d125

Download Submit
C:\Users\Admin\Downloads\yUge.exe
Filesize
314KB

MD5
4d23b709b075a43cf59a9d76fbeda867

SHA1
ce3d5857938e0abf183708c9e64552470ac9dee7

SHA256
3a5ea54d9156632119664b6e548e8687ef1ffbf9f1c953e18675587b94af0838

SHA512
37b407562a85cb64d7f3d7a336a45f121bcd917adb5376b025fbdcfcb59b2025995efb17532723775b644cfef1941cf3bbf440c16a8fce9a0424d975276bcd7e

Download Submit
C:\Users\Admin\Downloads\yYwG.exe
Filesize
794KB

MD5
3e55718304bd4abb101b7acfb8bd88e2

SHA1
a59ee1156451a478886f03846155bc0f16086634

SHA256
9312d2490425293c5d920ff5b13f3193add2c67c3d3b7066fdaa8180ab21f34b

SHA512
6e1b19ca7f61f0de0a711b5ca799528066620f8d8625081bfa06d5d441bb60bef856d98684e1a3b59b4afb201d5ddec49428ee83c816747ffa3555ae882aaead

Download Submit
C:\Users\Admin\hYMEAsUA\UckEskUQ.exe
Filesize
188KB

MD5
a930f4b276cf273ce2dfc078c8d778d4

SHA1
88de2f7d84705c9ff9d63e74b5046d368264c963

SHA256
b96136d0938393a55aa98c6f566404babaa82835e56811960facc7ffe045be28

SHA512
c9205f3ac25188b231c7812d74bb1389218de7db159a50ec6d6c88a397c109899877eedd6e211dc9b04b401c3d9b8e301c0212aed774763d1111df99112091ec

Download Submit
C:\Windows\perfc.dat
Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
\??\pipe\LOCAL\crashpad_2096_YNCNGQBAZNEGGYZB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/240-554-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/240-540-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/392-902-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/460-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/568-958-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/568-949-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/756-645-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-938-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-927-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/776-378-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/788-861-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/820-599-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/820-608-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-462-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1036-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1036-433-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1156-729-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1156-740-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1168-879-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-600-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-591-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1348-541-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1348-531-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-590-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-580-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-579-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1704-841-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-852-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-842-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-968-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-957-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2224-983-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-732-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-808-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-795-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2476-637-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2476-626-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2624-828-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2624-816-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2664-663-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2664-683-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-939-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-947-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-511-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-986-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-973-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-817-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-388-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3044-857-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-871-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3128-703-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3128-713-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3468-666-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-523-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3516-532-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3732-695-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3732-684-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-619-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-629-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3832-752-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-704-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-694-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-789-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-778-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4148-655-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4200-512-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4200-522-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4272-769-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4272-781-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4296-977-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4332-919-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-620-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-609-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4584-751-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4584-772-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4676-553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4676-562-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4768-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4840-798-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-928-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-227-0x0000000002320000-0x000000000237E000-memory.dmp

Filesize
376KB

Download
memory/4872-238-0x0000000002320000-0x000000000237E000-memory.dmp

Filesize
376KB

Download
memory/4872-225-0x0000000002320000-0x000000000237E000-memory.dmp

Filesize
376KB

Download
memory/4872-224-0x0000000002320000-0x000000000237E000-memory.dmp

Filesize
376KB

Download
memory/4872-216-0x0000000002320000-0x000000000237E000-memory.dmp

Filesize
376KB

Download
memory/4984-710-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4984-722-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5000-911-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5048-890-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download