Analysis
-
max time kernel
508s -
max time network
506s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-05-2024 16:34
Static task
static1
Behavioral task
behavioral1
Sample
MalTrade.html
Resource
win11-20240426-en
General
-
Target
MalTrade.html
-
Size
1KB
-
MD5
b07bf104f3e1c53c320ff5a5fe8fd028
-
SHA1
fd2f50c490629e0e0544cccbc36853f1af0237e0
-
SHA256
2acb7cdf224a4c3845174cc56b6bb0ff8f449684b1a1175cfbbbb8a448b3ee5b
-
SHA512
c42a2fb87e356b71e409b126b61a86c5befc1ee2dcfdf222de03fa4c614bd7882c4470e48bb79bb314b533815649173e1b49f381d5c1089acab04f317a65c210
Malware Config
Extracted
C:\Users\Admin\Desktop\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
Taskmgr.exedescription pid process target process PID 4868 created 4696 4868 Taskmgr.exe @[email protected] PID 4868 created 4696 4868 Taskmgr.exe @[email protected] -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1FF9.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2010.tmp WannaCry.exe -
Executes dropped EXE 64 IoCs
Processes:
WannaCry.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exetaskdl.exetaskse.exetaskdl.exetaskse.exetaskdl.exetaskse.exetaskdl.exeXyeta.exeXyeta.exeXyeta.exetaskse.exetaskdl.exetaskse.exetaskdl.exetaskse.exetaskdl.exeXyeta.exetaskse.exetaskdl.exePolyRansom.exejaQoAoQk.exeimswsIYc.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exetaskse.exePolyRansom.exePolyRansom.exePolyRansom.exetaskdl.exepid process 3892 WannaCry.exe 4868 taskdl.exe 5448 @[email protected] 5292 @[email protected] 5444 taskhsvc.exe 1444 taskdl.exe 4544 taskse.exe 3092 @[email protected] 3560 taskdl.exe 2632 taskse.exe 3528 @[email protected] 5860 taskdl.exe 5884 taskse.exe 5872 @[email protected] 4124 taskse.exe 4696 @[email protected] 5548 taskdl.exe 5212 taskse.exe 5276 taskdl.exe 5556 taskse.exe 920 taskdl.exe 3728 taskse.exe 4660 taskdl.exe 3824 taskse.exe 3052 taskdl.exe 6056 Xyeta.exe 4124 Xyeta.exe 4348 Xyeta.exe 3528 taskse.exe 3236 taskdl.exe 5284 taskse.exe 1820 taskdl.exe 1248 taskse.exe 6120 taskdl.exe 4708 Xyeta.exe 3520 taskse.exe 5652 taskdl.exe 3992 PolyRansom.exe 1384 jaQoAoQk.exe 1224 imswsIYc.exe 4068 PolyRansom.exe 1044 PolyRansom.exe 5132 PolyRansom.exe 5620 PolyRansom.exe 4608 PolyRansom.exe 3080 PolyRansom.exe 1484 PolyRansom.exe 2060 PolyRansom.exe 5272 PolyRansom.exe 3208 PolyRansom.exe 1644 PolyRansom.exe 1248 PolyRansom.exe 5912 PolyRansom.exe 5692 PolyRansom.exe 5736 PolyRansom.exe 5504 PolyRansom.exe 5524 PolyRansom.exe 956 PolyRansom.exe 5912 PolyRansom.exe 5972 taskse.exe 5176 PolyRansom.exe 4912 PolyRansom.exe 6020 PolyRansom.exe 4820 taskdl.exe -
Loads dropped DLL 7 IoCs
Processes:
taskhsvc.exepid process 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 296940.crdownload upx behavioral1/memory/6056-2795-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/6056-2797-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/4124-2823-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/4124-2825-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
reg.exePolyRansom.exejaQoAoQk.exeimswsIYc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eebpfwqdkzhozd402 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaQoAoQk.exe = "C:\\Users\\Admin\\rSwUwoAQ\\jaQoAoQk.exe" PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\imswsIYc.exe = "C:\\ProgramData\\ACEcAcIA\\imswsIYc.exe" PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaQoAoQk.exe = "C:\\Users\\Admin\\rSwUwoAQ\\jaQoAoQk.exe" jaQoAoQk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\imswsIYc.exe = "C:\\ProgramData\\ACEcAcIA\\imswsIYc.exe" imswsIYc.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5628 6056 WerFault.exe Xyeta.exe 4488 4124 WerFault.exe Xyeta.exe 560 4348 WerFault.exe Xyeta.exe 3204 4708 WerFault.exe Xyeta.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 6 IoCs
Processes:
msedge.exeOpenWith.exeMiniSearchHost.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1230210488-3096403634-4129516247-1000\{6862D93F-C375-4C55-AB9B-A0FDCFCBC30B} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1484 reg.exe 5696 reg.exe 2904 reg.exe 4764 reg.exe 8 reg.exe 236 reg.exe 5856 reg.exe 5504 reg.exe 5864 reg.exe 3488 reg.exe 3464 reg.exe 4300 reg.exe 5880 reg.exe 5892 reg.exe 2260 reg.exe 1900 reg.exe 2012 reg.exe 2360 reg.exe 236 reg.exe 5216 reg.exe 4932 reg.exe 4832 reg.exe 4916 reg.exe 5984 reg.exe 2152 reg.exe 5900 reg.exe 3520 reg.exe 4160 reg.exe 5216 reg.exe 2616 reg.exe 4068 reg.exe 4916 reg.exe 5736 reg.exe 2148 reg.exe 5708 reg.exe 5684 reg.exe 2040 reg.exe 5144 reg.exe 6020 reg.exe 5220 reg.exe 3856 reg.exe 5464 reg.exe 3924 reg.exe 1492 reg.exe 4128 reg.exe 1132 reg.exe 3464 reg.exe 2464 reg.exe 2104 reg.exe 6120 4076 reg.exe 5668 reg.exe 1820 reg.exe 1852 reg.exe 5452 reg.exe 5580 reg.exe 4652 reg.exe 708 reg.exe 5644 reg.exe 5384 reg.exe 4064 reg.exe 2988 reg.exe 5144 reg.exe 5772 reg.exe -
NTFS ADS 6 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 306455.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 922663.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 296940.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exeTaskmgr.exepid process 2344 msedge.exe 2344 msedge.exe 3408 msedge.exe 3408 msedge.exe 3100 identity_helper.exe 3100 identity_helper.exe 3228 msedge.exe 3228 msedge.exe 3436 msedge.exe 3436 msedge.exe 2364 msedge.exe 2364 msedge.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5444 taskhsvc.exe 5476 msedge.exe 5476 msedge.exe 5476 msedge.exe 5476 msedge.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Taskmgr.exejaQoAoQk.exepid process 4868 Taskmgr.exe 1384 jaQoAoQk.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs
Processes:
msedge.exepid process 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exeTaskmgr.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exedescription pid process Token: SeIncreaseQuotaPrivilege 5864 WMIC.exe Token: SeSecurityPrivilege 5864 WMIC.exe Token: SeTakeOwnershipPrivilege 5864 WMIC.exe Token: SeLoadDriverPrivilege 5864 WMIC.exe Token: SeSystemProfilePrivilege 5864 WMIC.exe Token: SeSystemtimePrivilege 5864 WMIC.exe Token: SeProfSingleProcessPrivilege 5864 WMIC.exe Token: SeIncBasePriorityPrivilege 5864 WMIC.exe Token: SeCreatePagefilePrivilege 5864 WMIC.exe Token: SeBackupPrivilege 5864 WMIC.exe Token: SeRestorePrivilege 5864 WMIC.exe Token: SeShutdownPrivilege 5864 WMIC.exe Token: SeDebugPrivilege 5864 WMIC.exe Token: SeSystemEnvironmentPrivilege 5864 WMIC.exe Token: SeRemoteShutdownPrivilege 5864 WMIC.exe Token: SeUndockPrivilege 5864 WMIC.exe Token: SeManageVolumePrivilege 5864 WMIC.exe Token: 33 5864 WMIC.exe Token: 34 5864 WMIC.exe Token: 35 5864 WMIC.exe Token: 36 5864 WMIC.exe Token: SeIncreaseQuotaPrivilege 5864 WMIC.exe Token: SeSecurityPrivilege 5864 WMIC.exe Token: SeTakeOwnershipPrivilege 5864 WMIC.exe Token: SeLoadDriverPrivilege 5864 WMIC.exe Token: SeSystemProfilePrivilege 5864 WMIC.exe Token: SeSystemtimePrivilege 5864 WMIC.exe Token: SeProfSingleProcessPrivilege 5864 WMIC.exe Token: SeIncBasePriorityPrivilege 5864 WMIC.exe Token: SeCreatePagefilePrivilege 5864 WMIC.exe Token: SeBackupPrivilege 5864 WMIC.exe Token: SeRestorePrivilege 5864 WMIC.exe Token: SeShutdownPrivilege 5864 WMIC.exe Token: SeDebugPrivilege 5864 WMIC.exe Token: SeSystemEnvironmentPrivilege 5864 WMIC.exe Token: SeRemoteShutdownPrivilege 5864 WMIC.exe Token: SeUndockPrivilege 5864 WMIC.exe Token: SeManageVolumePrivilege 5864 WMIC.exe Token: 33 5864 WMIC.exe Token: 34 5864 WMIC.exe Token: 35 5864 WMIC.exe Token: 36 5864 WMIC.exe Token: SeBackupPrivilege 5928 vssvc.exe Token: SeRestorePrivilege 5928 vssvc.exe Token: SeAuditPrivilege 5928 vssvc.exe Token: SeTcbPrivilege 4544 taskse.exe Token: SeTcbPrivilege 4544 taskse.exe Token: SeTcbPrivilege 2632 taskse.exe Token: SeTcbPrivilege 2632 taskse.exe Token: SeTcbPrivilege 5884 taskse.exe Token: SeTcbPrivilege 5884 taskse.exe Token: SeDebugPrivilege 4868 Taskmgr.exe Token: SeSystemProfilePrivilege 4868 Taskmgr.exe Token: SeCreateGlobalPrivilege 4868 Taskmgr.exe Token: SeTcbPrivilege 4124 taskse.exe Token: SeTcbPrivilege 4124 taskse.exe Token: SeTcbPrivilege 5212 taskse.exe Token: SeTcbPrivilege 5212 taskse.exe Token: SeTcbPrivilege 5556 taskse.exe Token: SeTcbPrivilege 5556 taskse.exe Token: SeTcbPrivilege 3728 taskse.exe Token: SeTcbPrivilege 3728 taskse.exe Token: SeTcbPrivilege 3824 taskse.exe Token: SeTcbPrivilege 3824 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeTaskmgr.exepid process 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exeTaskmgr.exepid process 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe 4868 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
Processes:
@[email protected]@[email protected]OpenWith.exe@[email protected]MiniSearchHost.exe@[email protected]@[email protected]@[email protected]OpenWith.exepid process 5448 @[email protected] 5448 @[email protected] 5292 @[email protected] 5292 @[email protected] 6068 OpenWith.exe 3092 @[email protected] 3092 @[email protected] 5124 MiniSearchHost.exe 3528 @[email protected] 5872 @[email protected] 4696 @[email protected] 4696 @[email protected] 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 6068 OpenWith.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3928 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3408 wrote to memory of 5004 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 5004 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3468 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 2344 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 2344 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe PID 3408 wrote to memory of 3196 3408 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2860 attrib.exe 1364 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\MalTrade.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd89113cb8,0x7ffd89113cc8,0x7ffd89113cd82⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵PID:3468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵PID:3196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:1092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:2484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵PID:2996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:2592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5584 /prefetch:82⤵PID:4800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:12⤵PID:4348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵PID:3712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:2948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵PID:1820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵PID:1116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵PID:4452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:1964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵PID:1792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6360 /prefetch:82⤵PID:3892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4864 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5476 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:12⤵PID:1572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:12⤵PID:5516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:12⤵PID:5756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:5400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:12⤵PID:1476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:12⤵PID:4412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:5680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:1148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:1044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:12⤵PID:2016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:5548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵PID:1332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:12⤵PID:2088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:12⤵PID:5472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:3828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:12⤵PID:5708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:12⤵PID:5660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:12⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:5256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:4688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:12⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:82⤵PID:3808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:82⤵
- NTFS ADS
PID:5460 -
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"2⤵
- Executes dropped EXE
PID:6056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 4723⤵
- Program crash
PID:5628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:12⤵PID:1200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:12⤵PID:3460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:5340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵PID:3532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1688 /prefetch:82⤵PID:5304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:12⤵PID:2432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,16470859217872467626,15233750267864589667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:82⤵
- NTFS ADS
PID:5468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5044
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2132
-
C:\Users\Admin\Desktop\WannaCry.exe"C:\Users\Admin\Desktop\WannaCry.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3892 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:2860 -
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3348 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 279211715272517.bat2⤵PID:1756
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:3808
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:1364 -
C:\Users\Admin\Desktop\@[email protected]PID:5448
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5444 -
C:\Windows\SysWOW64\cmd.exePID:5236
-
C:\Users\Admin\Desktop\@[email protected]PID:5292
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:5788
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3092 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eebpfwqdkzhozd402" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f2⤵PID:5592
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eebpfwqdkzhozd402" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
- Adds Run key to start application
PID:2132 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3560 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Users\Admin\Desktop\@[email protected]PID:3528
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5860 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5884 -
C:\Users\Admin\Desktop\@[email protected]PID:5872
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4696 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5548 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5276 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5556 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:920 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4660 -
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3052 -
C:\Users\Admin\Desktop\taskse.exePID:3528
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3236 -
C:\Users\Admin\Desktop\taskse.exePID:5284
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1820 -
C:\Users\Admin\Desktop\taskse.exePID:1248
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:6120 -
C:\Users\Admin\Desktop\taskse.exePID:3520
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5652 -
C:\Users\Admin\Desktop\taskse.exePID:5972
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6068
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5124
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4868
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\86a7728325c8457b8759c7683ea4cbba /t 5244 /p 46961⤵PID:5316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\MalTrade.html1⤵PID:2372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd89113cb8,0x7ffd89113cc8,0x7ffd89113cd82⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6056 -ip 60561⤵PID:1948
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"1⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 4442⤵
- Program crash
PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4124 -ip 41241⤵PID:5448
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"1⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 4402⤵
- Program crash
PID:560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4348 -ip 43481⤵PID:1372
-
C:\Users\Admin\Downloads\Xyeta.exe"C:\Users\Admin\Downloads\Xyeta.exe"1⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 4402⤵
- Program crash
PID:3204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4708 -ip 47081⤵PID:5676
-
C:\Users\Admin\Downloads\PolyRansom.exe"C:\Users\Admin\Downloads\PolyRansom.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3992 -
C:\Users\Admin\rSwUwoAQ\jaQoAoQk.exe"C:\Users\Admin\rSwUwoAQ\jaQoAoQk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1384 -
C:\ProgramData\ACEcAcIA\imswsIYc.exe"C:\ProgramData\ACEcAcIA\imswsIYc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"2⤵PID:1484
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom3⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"4⤵PID:3156
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom5⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"6⤵PID:5844
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom7⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"8⤵PID:5280
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom9⤵
- Executes dropped EXE
PID:5620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"10⤵PID:1068
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom11⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"12⤵PID:2012
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom13⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"14⤵PID:4068
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom15⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"16⤵PID:5464
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom17⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"18⤵PID:5372
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom19⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"20⤵PID:6068
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom21⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"22⤵PID:5796
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom23⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"24⤵PID:5864
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom25⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"26⤵PID:2988
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom27⤵
- Executes dropped EXE
PID:5912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"28⤵PID:4580
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom29⤵
- Executes dropped EXE
PID:5692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"30⤵PID:5208
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom31⤵
- Executes dropped EXE
PID:5736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"32⤵PID:460
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom33⤵
- Executes dropped EXE
PID:5504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"34⤵PID:5028
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom35⤵
- Executes dropped EXE
PID:5524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"36⤵PID:1800
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom37⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"38⤵PID:5776
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom39⤵
- Executes dropped EXE
PID:5912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"40⤵PID:3696
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom41⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"42⤵PID:4888
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom43⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"44⤵PID:5996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:5724
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom45⤵PID:676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"46⤵PID:4996
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom47⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"48⤵PID:3560
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom49⤵PID:5932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"50⤵PID:1816
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom51⤵PID:5644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"52⤵PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:5536
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom53⤵PID:5720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"54⤵PID:4912
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom55⤵PID:4024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"56⤵PID:676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:956
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom57⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"58⤵PID:3520
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom59⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"60⤵PID:4048
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom61⤵PID:1000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"62⤵PID:5820
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom63⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"64⤵PID:6108
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom65⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"66⤵PID:676
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom67⤵PID:5744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"68⤵PID:5896
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom69⤵PID:3048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"70⤵PID:5324
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom71⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"72⤵PID:3192
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom73⤵PID:5396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"74⤵PID:3808
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom75⤵PID:396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"76⤵PID:764
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom77⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"78⤵PID:1132
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom79⤵PID:460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"80⤵PID:5024
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom81⤵PID:4704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"82⤵PID:4564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:3464
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom83⤵PID:5812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"84⤵PID:3176
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom85⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"86⤵PID:2296
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom87⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"88⤵PID:2060
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom89⤵PID:3708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"90⤵PID:2160
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom91⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"92⤵PID:4040
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom93⤵PID:3928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"94⤵PID:248
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom95⤵PID:5816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"96⤵PID:5980
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom97⤵PID:4580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"98⤵PID:5280
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom99⤵PID:1680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"100⤵PID:3208
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom101⤵PID:3340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"102⤵PID:2904
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom103⤵PID:5956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"104⤵PID:4300
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom105⤵PID:5516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"106⤵PID:1412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:3344
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom107⤵PID:2928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"108⤵PID:620
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom109⤵PID:440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"110⤵PID:1524
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom111⤵PID:5144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"112⤵PID:1248
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom113⤵PID:5776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"114⤵PID:3872
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom115⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"116⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:3360
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom117⤵PID:5900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"118⤵PID:3472
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom119⤵PID:4332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"120⤵PID:5836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:5384
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom121⤵PID:6020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"122⤵PID:5524
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom123⤵PID:4572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"124⤵PID:5720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:1068
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom125⤵PID:5168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"126⤵PID:3348
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom127⤵PID:580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"128⤵PID:1132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1129⤵PID:460
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom129⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"130⤵PID:5996
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom131⤵PID:5188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"132⤵PID:3080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵PID:5612
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom133⤵PID:5892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"134⤵PID:2828
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom135⤵PID:5760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"136⤵PID:5908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵PID:4064
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom137⤵PID:5332
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1136⤵
- Modifies visibility of file extensions in Explorer
PID:4612 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2136⤵PID:4716
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f136⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoAYMIco.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""136⤵PID:5544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1134⤵
- Modifies visibility of file extensions in Explorer
PID:5904 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2134⤵PID:4832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵PID:4332
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f134⤵
- UAC bypass
PID:3532 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵PID:5356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQAgwoIU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""134⤵PID:1156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1135⤵PID:2840
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs135⤵PID:3732
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2012 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2132⤵PID:5844
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f132⤵PID:8
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵PID:2904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XScMQYQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""132⤵PID:4916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1133⤵PID:5984
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs133⤵PID:5200
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1130⤵PID:1116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:1876
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2130⤵PID:5728
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f130⤵
- UAC bypass
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwgoUIkA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""130⤵PID:5280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1131⤵PID:3104
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs131⤵PID:5652
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1128⤵
- Modifies visibility of file extensions in Explorer
PID:6068 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2128⤵
- Modifies registry key
PID:4916 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1129⤵PID:3608
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f128⤵PID:5524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1129⤵PID:3488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwowwoIA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""128⤵PID:4688
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs129⤵PID:6132
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1126⤵
- Modifies visibility of file extensions in Explorer
PID:5932 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1127⤵PID:2376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2126⤵PID:3036
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f126⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGQAQkgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""126⤵PID:2360
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs127⤵PID:5028
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1124⤵
- Modifies visibility of file extensions in Explorer
PID:4456 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2124⤵
- Modifies registry key
PID:3520 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:5768
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f124⤵
- Modifies registry key
PID:3856 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1125⤵PID:5348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEAAgAYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""124⤵PID:1092
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs125⤵PID:1376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1122⤵
- Modifies visibility of file extensions in Explorer
PID:2840 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2122⤵PID:5352
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1123⤵PID:1148
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f122⤵
- Modifies registry key
PID:5900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEcIAsAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""122⤵PID:5908
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs123⤵PID:3320
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1120⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3488 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2120⤵PID:5496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:424
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f120⤵PID:4996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:3872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiAcQQoU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""120⤵PID:5304
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs121⤵PID:5636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1118⤵
- Modifies visibility of file extensions in Explorer
PID:5720 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2118⤵PID:5652
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f118⤵PID:3456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkUYIwcw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""118⤵PID:5348
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs119⤵PID:5484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵PID:2872
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵PID:5980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
- UAC bypass
- Modifies registry key
PID:5696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsAwQosE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""116⤵PID:2376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1852
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵PID:5524
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵PID:3928
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵PID:4300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:676
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵
- UAC bypass
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkAQQEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""114⤵PID:5264
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵PID:1372
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵
- Modifies visibility of file extensions in Explorer
PID:3132 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵
- Modifies registry key
PID:4916 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵
- UAC bypass
- Modifies registry key
PID:5220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWowookU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""112⤵PID:2260
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵PID:2076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵
- Modifies visibility of file extensions in Explorer
PID:3928 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4616
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵PID:5684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:3812
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵
- UAC bypass
PID:5264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IigAkwMI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""110⤵PID:5652
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵PID:396
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3924 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵
- Modifies registry key
PID:5864 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
- Modifies registry key
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQMMwAYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""108⤵PID:2784
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵PID:1952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵PID:5652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:3536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵PID:5596
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵
- UAC bypass
PID:3208 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:5796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeoUMksk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""106⤵PID:708
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵PID:4820
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies registry key
PID:4064 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵PID:3924
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵PID:5200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqUsIsAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""104⤵PID:760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:5868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵PID:2160
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵
- Modifies visibility of file extensions in Explorer
PID:5304 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵PID:5312
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵
- UAC bypass
PID:6024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcoAoEoQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""102⤵PID:5932
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵PID:4616
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵PID:2360
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵PID:4068
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵
- UAC bypass
PID:5816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMwAYMoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""100⤵PID:5508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:5572
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵PID:8
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
- Modifies visibility of file extensions in Explorer
PID:5956 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵PID:428
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵
- UAC bypass
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySgUckkc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""98⤵PID:236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵PID:5356
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵
- Modifies visibility of file extensions in Explorer
PID:488 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵PID:5792
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵
- UAC bypass
PID:5820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wygcAwws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""96⤵PID:3100
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵PID:3048
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵PID:2060
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵PID:4884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:2016
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵PID:3472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwQUgsgQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""94⤵PID:4568
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵PID:4412
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5464 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵PID:3924
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- UAC bypass
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwAMUoww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""92⤵PID:2616
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵PID:5468
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵
- Modifies visibility of file extensions in Explorer
PID:1036 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵PID:3356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵
- UAC bypass
PID:5868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSQYEsgk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""90⤵PID:1876
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:5552
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵PID:1900
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵
- Modifies registry key
PID:5504 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵
- UAC bypass
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkAkUMcI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""88⤵PID:2460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:764
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵PID:4916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
PID:5356 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:1816
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
- UAC bypass
PID:5296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMswEksU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""86⤵PID:5264
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:5340
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵PID:3204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:3192
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:5480
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵
- UAC bypass
PID:3104 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIYYckEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""84⤵PID:5372
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:460
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵PID:324
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵PID:3080
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵
- UAC bypass
- Modifies registry key
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUwIUIgI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""82⤵PID:236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:5648
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
PID:5264 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵PID:5356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵PID:3344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igMUoAcw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""80⤵PID:4464
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:3848
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵PID:5484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵PID:4572
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
- UAC bypass
PID:2904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKYocIoM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""78⤵PID:3992
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:2832
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵PID:5624
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:1000
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- UAC bypass
PID:5760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMoswYQQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""76⤵PID:3204
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:1956
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1820 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵PID:5280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:5476
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵PID:5864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqIsgEkw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""74⤵PID:4916
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:4568
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵PID:2076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵
- Modifies registry key
PID:5384 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵PID:4884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:5608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCIUUQsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""72⤵PID:4612
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:1972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2104 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵PID:1092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:2396
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
PID:1756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOosEIww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""70⤵PID:2148
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:3920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵PID:4604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:2500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵PID:4752
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- UAC bypass
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoAQYoMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""68⤵PID:2068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:5808
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:5228
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies registry key
PID:5880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵PID:3156
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵
- UAC bypass
PID:5844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMwkkIYQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""66⤵PID:2856
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:3696
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵
- Modifies registry key
PID:236 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵PID:3520
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵
- UAC bypass
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwkQYMUk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""64⤵PID:2336
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:3092
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5644 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵PID:5676
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵PID:424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lckkQsMI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""62⤵PID:760
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:3360
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵PID:5808
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:5216
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
- Modifies registry key
PID:5144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuQwoYIM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""60⤵PID:5168
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:3812
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵PID:6124
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
- UAC bypass
PID:1956 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:3700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcEMggEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""58⤵PID:5396
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:1492
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵PID:5820
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵PID:2296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:788
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵PID:5744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuwYMgIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""56⤵PID:332
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:5776
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
PID:5796 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵
- Modifies registry key
PID:4300 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- UAC bypass
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aosYEEAw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""54⤵PID:5876
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:1412
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- Modifies visibility of file extensions in Explorer
PID:4980 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵
- Modifies registry key
PID:236 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- Modifies registry key
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGQAkAkQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""52⤵PID:912
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:3100
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
PID:5068 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵PID:5364
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵PID:5768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGAYwQkQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""50⤵PID:4652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:672
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:3680
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵PID:5752
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:1332
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
PID:5988 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:5796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAQwAwIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""48⤵PID:5704
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:3856
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
PID:3156 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:956
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵
- UAC bypass
PID:5652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkcUAQQs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""46⤵PID:4500
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:5384
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
PID:5876 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵PID:5484
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:4128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCcMkoQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""44⤵PID:5308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:5324
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵PID:5956
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵PID:2244
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- UAC bypass
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RicAwAUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""42⤵PID:1068
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:5332
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵
- Modifies visibility of file extensions in Explorer
PID:5340 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵
- Modifies registry key
PID:1132 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- UAC bypass
PID:5280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWsckMgM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""40⤵PID:2360
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵PID:788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
PID:2616 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵PID:580
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMwAgAEM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""38⤵PID:3628
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:2500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:5772
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:5792
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
PID:5864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGQcUUcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""36⤵PID:4412
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:424
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies visibility of file extensions in Explorer
PID:5724 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
- Modifies registry key
PID:4128 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
PID:5796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkYMQQMA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""34⤵PID:5168
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:5428
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
PID:5836 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:5244
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuAYkIwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""32⤵PID:1788
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:5964
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2360 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵
- Modifies registry key
PID:8 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵PID:2460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEUwMgMo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""30⤵PID:3356
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:5928
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵PID:5384
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:5516
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECMogAUg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""28⤵PID:5980
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:2904
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
PID:5976 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:5684
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:5328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIEcUoII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""26⤵PID:1484
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:5908
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Modifies registry key
PID:5216 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:3176
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
- Modifies registry key
PID:4764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqosoYEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""24⤵PID:2608
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:3928
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:5956
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
- Modifies registry key
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYUUIAoY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""22⤵PID:6028
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:1948
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵PID:4864
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:2832
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- Modifies registry key
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEoIgAYI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""20⤵PID:1268
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:5788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5984 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵
- Modifies registry key
PID:2904 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
PID:3924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOQYgMkM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""18⤵PID:2360
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:1096
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
- Modifies registry key
PID:5144 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:5908
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
PID:5376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycQQIEY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""16⤵PID:2204
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:3520
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
PID:1572 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
- Modifies registry key
PID:4652 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:5308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skwYgkYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""14⤵PID:892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:2988
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
- Modifies visibility of file extensions in Explorer
PID:4220 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
- Modifies registry key
PID:3464 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
PID:5808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wigYkwcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""12⤵PID:3700
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:5276
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2040 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:5240
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:5252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCEwMwwc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""10⤵PID:1644
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:332
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:2360
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
PID:1320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsMgQAwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""8⤵PID:3732
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:5972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
PID:5684 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:4848
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biksoUUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""6⤵PID:3520
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:5324
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:5336
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:5264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIUsAgss.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""4⤵PID:5552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4572
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:6096 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3808
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wusMYcEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""2⤵PID:2988
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:5536
-
C:\Users\Admin\Downloads\PolyRansom.exe"C:\Users\Admin\Downloads\PolyRansom.exe"1⤵
- Executes dropped EXE
PID:6020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"2⤵PID:2816
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom3⤵PID:3352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"4⤵PID:2060
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom5⤵PID:1956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"6⤵PID:788
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom7⤵PID:5888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"8⤵PID:3036
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom9⤵PID:3156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"10⤵PID:5608
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom11⤵PID:620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"12⤵PID:1524
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom13⤵PID:5380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"14⤵PID:1900
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom15⤵PID:5864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"16⤵PID:1556
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom17⤵PID:5768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"18⤵PID:3608
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom19⤵PID:5916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"20⤵PID:2816
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom21⤵PID:5572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"22⤵PID:2532
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom23⤵PID:3536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"24⤵PID:956
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom25⤵PID:4032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"26⤵PID:5624
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom27⤵PID:440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"28⤵PID:5920
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom29⤵PID:6108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"30⤵PID:2456
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom31⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"32⤵PID:3708
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom33⤵PID:4068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"34⤵PID:5688
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom35⤵PID:5372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"36⤵PID:1376
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom37⤵PID:3868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"38⤵PID:1316
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom39⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"40⤵PID:5728
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom41⤵PID:5540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"42⤵PID:5768
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom43⤵PID:5396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"44⤵PID:5580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:5424
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom45⤵PID:5252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"46⤵PID:4616
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom47⤵PID:5488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"48⤵PID:2108
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom49⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"50⤵PID:2784
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom51⤵PID:244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"52⤵PID:4456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:5296
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom53⤵PID:5212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"54⤵PID:4716
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom55⤵PID:5760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"56⤵PID:4284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:788
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom57⤵PID:2608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"58⤵PID:5364
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom59⤵PID:4160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"60⤵PID:1068
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom61⤵PID:4592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"62⤵PID:980
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom63⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"64⤵PID:1148
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom65⤵PID:2208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"66⤵PID:4864
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom67⤵PID:5448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"68⤵PID:892
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom69⤵PID:5460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"70⤵PID:4032
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom71⤵PID:5612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"72⤵PID:4412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:1524
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom73⤵PID:620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"74⤵PID:1860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:1248
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom75⤵PID:5644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"76⤵PID:2456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:5448
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom77⤵PID:3080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"78⤵PID:4092
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom79⤵PID:1916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"80⤵PID:5676
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom81⤵PID:6108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"82⤵PID:1000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:2244
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom83⤵PID:4300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"84⤵PID:1936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:1036
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom85⤵PID:5212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"86⤵PID:5764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:4660
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom87⤵PID:4544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"88⤵PID:4032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:5980
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom89⤵PID:5460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"90⤵PID:5228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:1132
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom91⤵PID:4068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5708 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:5676
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵PID:5428
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵PID:4652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:2456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqkIcsIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""90⤵PID:5212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:5380
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:5188
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵PID:5284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:4092
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵PID:4048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:3100
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵PID:6132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKUwogMs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""88⤵PID:3928
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
PID:5028 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:2784
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:5900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:4912
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
- Modifies registry key
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsUscEgA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""86⤵PID:3992
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:5484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5580 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:1916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:5536
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵
- UAC bypass
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REIoYcoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""84⤵PID:1092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:1412
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:2380
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies visibility of file extensions in Explorer
PID:1756 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵PID:5176
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵PID:3320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:3628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUQEkMUg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""82⤵PID:5880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:5372
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:2060
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
PID:2464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:2532
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵PID:5904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:3356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
- UAC bypass
- Modifies registry key
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIYEQcYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""80⤵PID:5216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:5916
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:5900
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵PID:892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵PID:4688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:6124
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
- UAC bypass
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmgUYsEg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""78⤵PID:6008
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:5696
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:2296
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵
- Modifies registry key
PID:5772 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:2104
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵PID:5216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egYQcEAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""76⤵PID:4284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:5516
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:1572
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵PID:4660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:980
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵
- Modifies registry key
PID:2988 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵PID:3520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyAMIwgE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""74⤵PID:396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:912
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:5688
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵PID:5332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:4864
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵PID:4832
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵PID:3236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyccMAcc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""72⤵PID:4348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:2204
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:5352
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵PID:5888
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵
- Modifies registry key
PID:5452 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
PID:5820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pusgwMgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""70⤵PID:3208
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:6068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵PID:2072
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵PID:5284
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- Modifies registry key
PID:5736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekgYUkI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""68⤵PID:4500
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:5068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
PID:5856 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵PID:4788
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵
- UAC bypass
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOwsYgIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""66⤵PID:5624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:3868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:5188
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵
- Modifies visibility of file extensions in Explorer
PID:5792 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:3100
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵PID:3356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵PID:5108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUkgUEkg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""64⤵PID:4704
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:1800
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵
- Modifies visibility of file extensions in Explorer
PID:4284 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵PID:2148
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵PID:788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kggEQkcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""62⤵PID:6096
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:4612
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵PID:5460
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:5760
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
PID:5696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYYEIEcA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""60⤵PID:3856
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:2208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵PID:2396
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:2376
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵PID:2820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcsQQEAU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""58⤵PID:3064
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:5768
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵PID:4704
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵
- Modifies registry key
PID:1484 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
- UAC bypass
PID:484 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:5888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUsIUEAo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""56⤵PID:5756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:3848
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
PID:5252 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵PID:980
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵PID:5284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKAsUYYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""54⤵PID:5844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:3920
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:2816
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵PID:3844
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵
- Modifies registry key
PID:1900 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:5176
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵PID:5756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUksYcsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""52⤵PID:4092
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:5916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
PID:3520 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵PID:5868
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵PID:580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOUQgEQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""50⤵PID:4864
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:5484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵
- Modifies visibility of file extensions in Explorer
PID:5280 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:3092
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:1644
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
PID:5676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQUQsowU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""48⤵PID:6020
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:5168
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
PID:3696 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:4912
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵PID:5980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaUwIUgY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""46⤵PID:5916
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:332
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵PID:3808
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵PID:248
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:5864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAowwwAQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""44⤵PID:1936
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:3308
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
PID:1000 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵PID:1680
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- UAC bypass
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsEEgYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""42⤵PID:2204
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:3844
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵PID:1820
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:2104
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵PID:4300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LugsgUMM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""40⤵PID:2108
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵PID:6120
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
PID:4788 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵PID:5876
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵
- Modifies registry key
PID:2260 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
PID:5944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoIQUEMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""38⤵PID:1096
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:5792
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵
- Modifies registry key
PID:5892 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:5828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:3576
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgIgQEoU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""36⤵PID:2872
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:2828
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies registry key
PID:4932 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵PID:5384
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
PID:5984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkAYkcIU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""34⤵PID:2244
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:5956
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5856 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:1068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:4580
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
- Modifies registry key
PID:5216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmkAAkUs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""32⤵PID:5676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:5336
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:2300
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵PID:3992
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:4888
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
PID:676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEkcMoAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""30⤵PID:2124
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:3048
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
PID:5244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵PID:3560
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:5488
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:1000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsoYEQwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""28⤵PID:5764
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:5496
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
PID:5792 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:6068
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- Modifies registry key
PID:6020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZegkYUQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""26⤵PID:5980
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:5208
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Modifies visibility of file extensions in Explorer
PID:1876 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:5596
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
PID:5496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAUAUgwc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""24⤵PID:4068
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:5424
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- Modifies visibility of file extensions in Explorer
PID:484 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:3872
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egIgUUcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""22⤵PID:3920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:5996
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:5684
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
PID:2208 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
- Modifies registry key
PID:5668 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKEcEMEc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""20⤵PID:4568
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:3628
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies registry key
PID:2464 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:1860
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
PID:2060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIkAUwog.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""18⤵PID:4884
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:1168
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:5892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:5212
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵PID:3576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoIsMcYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""16⤵PID:4040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵PID:2360
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:1524
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵PID:5496
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
- Modifies registry key
PID:2152 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGYYwEoc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""14⤵PID:5208
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:5544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:1248
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
- Modifies registry key
PID:3464 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:5704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkYscYYQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""12⤵PID:1116
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:3152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
PID:2040 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:5960
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
PID:5336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkAUUoIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""10⤵PID:3404
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:2376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4076 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:2076
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
- Modifies registry key
PID:2616 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:6024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwoMQgsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""8⤵PID:3924
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:5596
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:5176 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:5296
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:3700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYMIQsco.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""6⤵PID:2784
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:5552
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:5912
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2460
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMYYgsoU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""4⤵PID:548
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:5476
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:5380 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:5644
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUUYMQQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""2⤵PID:5536
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:6024
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4752
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6068
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-1230210488-3096403634-4129516247-1000\$RX7VHK1.exeFilesize
422KB
MD591e5b77adc14f41ee29478460451fdf7
SHA1bc9afaec3ba1336ea101e9a1ff2c44a62a4b782e
SHA256e44592cbf2a85848d6c2c5a8beafb5cf6389689d7b66bd1bfb3688841abab580
SHA5125c9bb08d35722b849010a2862d63ae3733277c450f6ed346bd52d902c6e700d6f837f2e67839537773b2f9990724e8b64edfe5cf0baaa2f68427ff116cc146c8
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]Filesize
583B
MD512a9c57d13fa02fe1ed7e5797e8c2dd2
SHA1317090dabfe9de5b8456ce2ade6c2277fc866aa2
SHA2566a4c523d33b5ef82b8f3174e79710620baab15a0c1b31e00a1243342a4f7626f
SHA512496a5b41fb57de42db8b47749694c3e7a59ed2ef5625e950e3aa3bf224bd92c97806a38c95b6a79d0bdd7cacd23c6192dd90d9c67d2124dbb0362007956ec5eb
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exeFilesize
327KB
MD58ec1a822a6188ad2c7d61c59a05881e7
SHA1f771c2e05f9297905ebc9524128d9de4c0e94c13
SHA256bdfdd506e430200e9d8887399bfda9133d50588bbf93befb105f33362c0aa4be
SHA512d42c76cdce046af22686ecaa978dc2e8c9c88ac31ff864dc832555e1d71c5347ba064b1446e457b876b458d96373a2721ac838f92b7304b87545885adaee9f5b
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exeFilesize
306KB
MD5b88e96e8541bfc2fbc61118a065f0729
SHA18a025d183e13a380ce6a12eb93dbd4306940c5a7
SHA2569d3197b209e2f6aaa7eccd93cb900da9ba60ef7e6e3eeac76d7c317c0e63bff2
SHA512ca20fa0e29b45c42c384b48f24844d9dd2cdbc5b0c723c7b2cab8962c2b51d34bf1631ef34f9e3afe074d58034c2bc287946490f997ade54d63aae526a3158b8
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exeFilesize
229KB
MD594e2208d29d9787daa6b9a7600a55248
SHA1ce728425e5b9ba5494870aa1fa0719a56ec57cdf
SHA256470c4ce1397fd43501e329b95ace7ff59008aead44c2c170f6533815b5324371
SHA5125510cc46d9baa5e9e015eb4e913e768cf951dc833707bb3c3c7b872cab70606e73f6273ed13e8e36f53d8e3cecf53cedba5a658ad11394f0c1d0e66bbbde37ca
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exeFilesize
232KB
MD546e639126d363d2364f6163ab7abf4b3
SHA1c3586622dc40a4e91d6908a410d70c0a4bccd69e
SHA256300b24824f3242d46424c5448167c8930512b9486c936652506e946a96fa3337
SHA5124cc28df460af9ebae912ce3bc894d92705888d47663af2a83c24b4150a55257a3f253e3c4d15d393252643ef4ff53ad2805163b343dbe9c644e37449d5c462f1
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exeFilesize
208KB
MD556964409db0200ac4b4480e20e8ab02d
SHA19401c397f17982026b60684f4e8f01deaaa90cf9
SHA256eb6c229344a4c8e5ae184e4f0f8042185a2d339538a773f6f85d8a22605e84c3
SHA5123383d547988518b3e35b6a5959dcf6ab50f5c88b9f99cb8fcf4c83f7fb31a9e13c272e95f7d8f3d8432bbdb3cf35fa932375688f50b28e74a0ba4048aca9dc26
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exeFilesize
232KB
MD5b084f411a0f5c3150b614e73816d3774
SHA15dfd9ce241e26bfdcf7869cb6128b860e3c3dfe7
SHA2562b2807ff486739922f08ae74bc58271e8cfed1d5af0499a7f29e894e509cd16a
SHA512ca12ddf4fa6be1acb5f9cede2f537a2a1a3756e50bf9b6c74c41a4233049deed4f9bea355d9ccfafe6335a781475b410b07c6d8bb64a2d5b198b5d903446521e
-
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exeFilesize
317KB
MD519264e8c38ba72d5737a6a3cdc9f5f77
SHA1576cfbdd2bcbafc9892f2e60dd8e3c0d6aca1d06
SHA25632bfdf8f1995966332b1043e316a5aa220800250dea3386347eff52130c61139
SHA51216458868ca4ab58b3224f0a4a637482c504d62809d681c381b67f940cc913b4de17c1d73b04b5255dbc552464bf24a46442936024886d79e79048f0934954964
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.jsonFilesize
102B
MD57d1d7e1db5d8d862de24415d9ec9aca4
SHA1f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA5121688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477
-
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeFilesize
636KB
MD5c7b9a42d5af1d2580a0a0646410c8ce9
SHA1d4d8e31f4b2b1ba3c6413bc8b405db7d70056f65
SHA256e9c266e41508c6c05a9eff0d3f07eda26b5a031992fb504f6cc04b7c50093e66
SHA512cfb85e1c8631bd56eccac038ddc0b3277999ff90f77a5bfa60d07d0d8a03b822b03ae4c5bdd2d72d3e00fe8c1d0e272a6c00216684e0de3bb1f109f21c34a65a
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exeFilesize
834KB
MD545be46321d85706c35a8976e189f9c22
SHA119d6675ddaa09dbc332ff1a21e6fc417a47fe565
SHA2566c7331d07ed7bbf7b0e153a42a38ba0eea6fe73485358f2a21e8aff5c3cbe8aa
SHA5127b0365d88988eee5f0ce6bb25b2b9f50e2dc0de73b6b2d0ce6662b774f47fe0bb462288d27422e20e639bfd891a95afedd311007d1a30fe87972700f1861cdf6
-
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exeFilesize
637KB
MD507331554d68d022833873a9b44649ecb
SHA1f4b0be225aa3504ce15017b5010813e78120d556
SHA2561ad9b3144ce9df07c721583c1f87c6d32fad7609eef925f49e988d725e57e49e
SHA5121eda16079098465c1034f20960eef724cdaba96849edaa93fd033431e62f43c9d8f5e9549327795ccafc92f507a346f05ec23a63a9f4d6b873ab2320894ba052
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
794KB
MD55eb780e1269a4b1d0aee53dcbdc92bbd
SHA1793975fa1323c460199d18c9fc7866b659a0e159
SHA256ac713799ab0c600f3050c0648e9b4df588e7d5b23219aba5d9bef82fe8e36c77
SHA5129189ba505cd021d6d37e95b6d900a4602f2821bf843b6cadf8e9ac6a8257a38c940f95ea33bde2df1d0661bd0ed64d60a2e24c74abec43c60878cb6e157f6a0e
-
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeFilesize
637KB
MD5e0a6acb93e78f11e2fa481c5ba40da44
SHA12e00768e90df3c2c70473a59f404bbf16b4ab19e
SHA25619278eea2724b87ddf94eb94e70a1e4be4d787b85f8b8f9752dcc5458fa365ba
SHA5122172161d931b9e9435f91dcd5564a66f023f627128bd0bc848e31836660937daabc9112ca548fc7ba6ae93d72e0788c9fc1bbd90dd3dcc35646ffe3eb8c1c6b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58e1dd984856ef51f4512d3bf2c7aef54
SHA181cb28f2153ec7ae0cbf79c04c1a445efedd125f
SHA25634afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7
SHA512d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ffa07b9a59daf025c30d00d26391d66f
SHA1382cb374cf0dda03fa67bd55288eeb588b9353da
SHA2567052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb
SHA51225a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001Filesize
56KB
MD571e5814b4800377215c5018afc8e958d
SHA1fec74c39d3010484702bff1a27fbfbf74994d9a8
SHA256210f337cbdb5f867de1937b725e525ab7eb6b1c37e516da9b613f8d69a414f49
SHA512873d3c4aea8c33a9ad0d1359c8f4ece17b41e7e5d71deeb8765e63b4555708fedee9b28abf82912cdd8b447a87f77923ac2b86b0758a99cb09c63c6ba41ff14e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
17KB
MD5197cef2b112eec494ff9e6592e25e4a0
SHA16dc19f3be734045aad52c4e798b2a99b1d5d651b
SHA25637b770444e9bcca771c5df2afdc84510a21e5b23ec835380414a101d549f6e11
SHA512126048ca21fe7f7155d42f4fc0301824e5dbdf156252096d215cb51409807420340c433051d619b14f1153faf5c2889bd50773fcd507d12bc24ab4cb27027a0e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
31KB
MD555560ec6a66011e78a7b59f71ab661ec
SHA1c8c45e1dc152ac04a8d5cc7f3e57644f2214a736
SHA25623fc1cac88661bd884c9ba60e88c8e915a1c205e5e792d973bcf7f074cbb907d
SHA512e4ac0c9ce8a47b98c0ea7b6c533f4fbb4c1ad60ebdd855ce3acf99fac8fcb1e3c71039a964ebad384cc00eacdb4654c4bee1e869aa1339e24e0776ca129b9370
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
88KB
MD58c1af98be3a22f0c3fb00ec9c170ae85
SHA181cfc64c2f4cc43770e4d67d05135f1505e9436e
SHA256bc41664d2320eb712848f7eff292068eedbaa1a548c96023849ddde5e3be110c
SHA512f63cdbdb9655cbb797dd7c33b7cd1472e0006e5084fa2acb85c221af23a95f687cdb92ee06fd843ed8324a31b151af29afb3f42c8e262f3d1bbdad0606d5e559
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
73KB
MD5b5cf8ae26748570d8fb95a47f46b69e1
SHA107bed153d47f9129a944ee54dd72952deed074c8
SHA256cd398be1a91817126cef10224738e624358edf6f08043abad7e60c1aaeccc8d0
SHA512f08b9289695cf530094f076b2df4d2b0e1a1daedd00190d123b4179b2c1a1b5e8b2bb988d86fc6dc9eee117d88a58dd5b6dfe7689586c17068f5d2da01904d76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
48KB
MD5698faff59c042bc291c16816955e27a9
SHA13fad58f86907690fc8ae77146704ab09471dc6e4
SHA2564ded8de727632cf688ad6a68b10907b5b5a695852b9d439157101c0c46f51ab8
SHA5125e8882c7035c470efdf64ff5407e8fe5dacec2342b5437e9ac05bf83f7cd92c4f8e95018af4bbee142434dc3a4d0d6707af823beedf7b3a958a3012306f1d89f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
102KB
MD5f3c3f7bdb9737d637dcc91a01ac754d1
SHA11ce241553620fa97d324b6d71df1ab3b9bdf08d6
SHA25605235fe55b06985718061e3c7af945bdad42c2c961e0770e0ccc3f6b7a745864
SHA512ef70a3f5fc747e288bd672a70b3e1e73f8a19e9fd995b80f833d9f861b2fb5b66e82a50ed5c121a37132056d54ae624357dd140ef641f5d8198ebfe34b455dcf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002aFilesize
18KB
MD56ed920e0f3a6447c3e5d86c552438db3
SHA14bd9cd1b552e1879e596c57e47b3813bd95dcafc
SHA256e513c909d83dcbbbb9ba1b54f1cc8e6d6044ed212d04583d1629afef46eacad6
SHA512ccd98e921f910e736fa59855a4aae6b170fed4fe359fc3790f92608b5f0ec03f2e92243fad55f51c8cb301003a4115d37c1ec4b7652e4109258b156744f3b1cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031Filesize
24KB
MD5f782de7f00a1e90076b6b77a05fa908a
SHA14ed15dad2baa61e9627bf2179aa7b9188ce7d4e1
SHA256d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968
SHA51278ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032Filesize
199KB
MD5585ac11a4e8628c13c32de68f89f98d6
SHA1bcea01f9deb8d6711088cb5c344ebd57997839db
SHA256d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6
SHA51276d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e6ccdf1bde3223c1_0Filesize
19KB
MD5707c55fbec1a071c163d9cd133f89075
SHA110b39aaf7d9921234815293f4de4ce727f45f401
SHA25610b63910f0756a921dc2bfe0d759abc56dc3097b4491b47af517bbd0b96674d4
SHA51240af1ff49913022f55492aadf058911abc1db8364e1b8d640aa2c101a767926fbdfd94ac69e13ab2757dfb46e7b878b2ecf71705675ef5ab56f1601500924083
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD513a586ebad5c9514376e5e24b0cfe2cb
SHA143e25b01446e4e31c7d7af3aec7f88c544aa13d0
SHA25611b95cff5eda48e9bc9e3c883371e02a7866ead7cf2609039766a975301e682a
SHA5129cb165f0105000596aaa609aae8b06f7ca3ab848d69f024ace3a3a1bdcc20662e5c17f435fb953fe003efe6e7bbfd2cc9954eb47d43f7237f2e1c2eebc7fb205
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5bd2f80cff90ea77ee01b8ece976adb2e
SHA10c58c69533107e025d29d75339d4722f3607ac45
SHA256c51cedf78f51458babde722f58920b40a75a61098307e228bb6c12f9a9e2975b
SHA512c4a35ddffba384a556dc95af4d11afddd0a85c95d8f1dcb3838b0a2dd858df0c47ae83dcf27e092838af785a02aa445a2363f910784e14d6ef2032e7504be804
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD55a3b4ecc962da02370347176f9f2d08a
SHA1d77472bb1dfb951bbc4cda0a1f942a8493368c9d
SHA2563dc5a04c3c363dd65daacca477faa6b8c73cfdcd6299f736d44e8c60b2349480
SHA5128b04ee9a5d25715dbdc45c54d1c0362ea8bd7eb07fada04eec5587a9bcc0e6a582c5f2457b8063060cf398a8c01a09e8ba25ac5d787b113d40c409ba51fa13fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_best.aliexpress.com_0.indexeddb.leveldb\LOG.oldFilesize
758B
MD55c97a3e0efbdef0df6b64209ec44df6c
SHA187b6b87bdaa666d57ffbcf00218c6a31bfd1141c
SHA256be5971c6b864e18d64f7439ee1c6f3aea2e4fa489e00cdf882573648373ed356
SHA51228ed5ebae6e19576a844c5e5d470165e4934728a42a8d9c4f61373830f0bef5a121f6436e8fc46b82d6af61fd2761c0129588748a97ab458820174e9431e0745
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_best.aliexpress.com_0.indexeddb.leveldb\LOG.old~RFe5b7df6.TMPFilesize
616B
MD5e35e77a88aeed9b734abc0a511d8ed3c
SHA1f92121e49e71931b75945650db0c349d3abb437e
SHA256201f10b2415107d4a4446afd47132e338d3bb2b509f3d91932f4ebc6e3d10823
SHA5126344e03495944267b4bb798752bc6fb965203686ab57f6b1cb448789d8832f247d62ba2b086c45482c5678e76922d6355083e9925f2ba920cfc6b928fdae7e8c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5bf01a556de769db4d7edfca50c753a07
SHA1a7462ac8d3fd4a5c7bcc4a7052fcc067c68f6b17
SHA2564dccc851fa08201633a2577b9c77586b3d6bb3609744f7dd09c92c9bf229880e
SHA512b0acd84f2be207dc7712e11a4d86552ae5634cf6657a4115c1879dd18189a2a9a4811653927dbc3ef2b93c29758cce2e7872db93897d710cfa66f90fcd617b9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5a5703c71c0cfa1c1093f20d365cefa24
SHA11389eb3e82dcc3cc29d814f9c33195465f5f29c4
SHA256584b6188680bbb994b65a35395621071a2f65a368c360504f4d33c31505d84e3
SHA5124a1232aad44d919a8089cb59ed0d4efdbd0410aa2a2b4ae92b388da62257af44209d02f6c1f1d4db1cfb4852511db868e51d6c5d9f028e6e4f994e25cdb893e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD521588e31e01f5cb27a8d8477f35b1bed
SHA16a8c11b10e4f0c2960f3d174bda92690f56d651b
SHA2568402c82ff7a89cb437a0f7f9ced13bd3751f4c41def7ebcde279e7df5ccd395b
SHA512ba7bc27bdd08779a9ef879e35bdd38661517f37f7a092ff78a6150eadb6a814141e1d5abe981c9dd7865da16cfb92087040a8f653d0d0f496af42cf2d8d4c106
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5a2eae270509cea196ff54947fe350083
SHA111b5c496f2adec07b4366fb953ede022a351a4a3
SHA256b1fefeec3150defdc799990dc4ac34b4314aae5d8b1251b889398653d66563a2
SHA5126515e2b40bffa1cef7a173fcf0fe4f72c5c84dcd20b56ce018f1db4543c532f1e08feaccebc8088434c1bbe82acfde9d5660f2c8452619d75b77d0c3957f9517
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f6f57a0e307cc45c98d2204b60479f1b
SHA1278c7fa71ac50a7e8706e5d7ff74b1ee70c29396
SHA256f8ba60912c4cbbadbb89bb9c04d46a3db2a297e4ad6b1e70155d2b3e0b8bf427
SHA512c5953601c769800b209ce9b5f0db5fdc693bb7fd1a89f5eb574e8f0bb81f7b2d1e077f41a62c83ea0f9378869e2ee895f20cf4dd9546ae0db30ff4413b5325d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5052d86753387bb3780c456edb54e1cea
SHA1343fe0f2302d9dae78fccb423d8546d0ee8e824b
SHA256286b146dae7ffd77846d12228987500ff34d4338e5162362ade6dcb9b5fbbb25
SHA512ff13a2ff2f3bd725ff11f5a6d3d291839ba19b261ea7a4272e09cf33e6edd9fe49506d6cbf1356302db28dac83a15f1a427c7a89e4812424d12230eb3734fffc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50b3b87ce0da1d333914c143ad4c25e1d
SHA19604f1fa2a5a33b2065efbfda2cf8d3f24dd2343
SHA256fa868aa5712a17f2d3a8df16e379983d9b5df243490a7a74fd003b761f380d34
SHA5128b74e775b6aff35cd7b5877b91371ebc894be0be4a20afb5622dc6b77438fe3dd8c0ac360507299f788922e641b5930efc3d516b923a1dde091719ba6458ad2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD521912d5299524922061982358e4dc12b
SHA12fe530796a8e3563e715513996575289c1fa8f75
SHA256c04bf5de963001e87811ce4e08d2c1d09c40a3e19d8ae3311f3fdc5057d45863
SHA512b0c050f98dc5caa9c3b926f915c2eeff792982d562b268ad4841f8b7631aaf6f09841cda83eba31d5c932b55ab1d4233892ea15b45d06f5607dd153b5e0eba27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5d6408a207ddb8eb22bb32fb31542a61f
SHA124ea06d2d2a6dfbd5f5f0a04793a1ec225c57eb0
SHA2564605ac559bef940f43d0b0968afe33ce265a051d15cd9344a67fd931f5322355
SHA512fea06204c2d78330b7d88b4e46496c89cdc7a3d77e1927b22643237fd586c40d79b5d51a31bf7a8c9ae4467cf1023d295e67867568378885712dc6706e577ed7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5d50ae89467978ca10d3e42f20151ea5a
SHA1deecb5aa543ed1cf8fc76f73bc522b901c96eaeb
SHA256998ebe81654f85e8bca31d9c843981b9933a81a62673cf68a080ffa815c1b4fd
SHA51275ae2a787636d9761cef36ba571e064be56481cc7e6a086cab99591bdd223207846ba7694bf77c7162d9fedee7b8a539e5052fbd29aeb6401ba3b55760349ee8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5dc0909cba79a6f21b98133185f5ee8be
SHA1a614db8d427adc2b9e4f13b6e4398f47a8bfd15c
SHA2562fc53dff15cf3085945a0e43ee87c60610d00411b6d2f8f1d1a650d518525d1c
SHA512c9e8c7a0527e621ac91e0bcaa53578ce791aadeeca73a517da36c17b6233c84977fbe7332268e2658b342751cbd2ab1858b4ec774b67376bddf3ebb0d1f0ba88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5df4e6f0ad8e3b5cb34a55b49d8762558
SHA10752bf36e988990614cd468357eb6c864bc89da9
SHA256256c2bdb6fb9baa16bb02c23c9e8d21ebb4af77fda5dd0d8c8c9b9dc459dc3a8
SHA51270b3388f105ffda4d68e53fb2b076099f773f508d3a27804e1762e7a5440f29cf24bc54a93766e7b384740b46918eb26c71da59a4e964f9eba16962cd619f8c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58451f3a346ad554fe838e1f7c776f951
SHA12504f0edc18df057b2d8e9a3efc8b83ad2930724
SHA25625a2a6c24f58230019bffaf6d2f8654858549b30656877747be75983a4371fd0
SHA5123cd7c0d7053bae948b620f6d562c268e7eff99291dc3406e073173712198d3ff0be02a71154fca53ba6dea103dbdb7cceaf5eedc326ac029c2ae6f058f8c7bdb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\013888a1cda32b90_0Filesize
9KB
MD5e16dc7e33dfb2ae8101f82ab697d418a
SHA139b94bc0c94fa8a45a090503164e1638bdc586b4
SHA2565d9c91fe120a42cb9cebdaf11266066def36cce4fe852e0e83afe1509dead4ab
SHA5125ba3fdd00bbafff77e31b30b2af4d71b008f9ae4bf71a2029680d44902b00aab7d49c8ed5e6b96fccef28742a87c202cfaa0a74f2ea00c0b456ac95810ec85ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\013888a1cda32b90_1Filesize
24KB
MD511445385f65235cd6f98b6ddf6527315
SHA12ea557279080723e88b685873fa17d4357632afe
SHA25675a525467cde404b00db0455f3d5353915c1e759c076719a8ee5e6f925b01150
SHA5122a8ecd909b9613606a73925db7a343c3a2f50969f5e47ccf4c301b4c467b86bb79ecd96f70c17682375b473cc7ea2f61d2459eb71a64fb33f345d9318af66d3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0Filesize
6KB
MD53d379fd80f5246e82fa886122e02229c
SHA1ccd85307d500ac4dd6ca281c53a0cf2312a27dab
SHA25647a7e4e3d7d6511b6767e5c40358a9cd02711d093c43bd4020397215dd169b22
SHA512df7ac9c08e67d0b6ae2255356bbce92a0487f4a614c01e8c46caf182f4ed2f00d4913bab221fdbb998e954a2b59de277cb9fe0199e169bad01b0da9535ebf478
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0Filesize
81KB
MD53ef5730d7eddbf1b29732484b92fc7af
SHA1c57ec11bc5ef0165add2dc5567d007e0a1466e2e
SHA256cde900768b27b9d910ed251ec6f1066cba78b9ec0bf90d86c8f19a189a7d76c7
SHA5128584e00d8e27450116971c0fc630d3e0c4bc5957ba221725cac68b9e27c7b81e71ab8e0c1b7c81594b825eb9feb5e2ba6831d0d8ecd0826fde29f9d47dbb8a5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1Filesize
147KB
MD5290c195785ee791fccb7011e6ea08491
SHA1aade7b6b76bd315ea32d86500c44a071ea7f8b06
SHA256bce638854d57440e29fed0ffc1f0fadf8a0495d422a71010f5b3c0855ee05f81
SHA512eab6383a833de7da10240713e8efc631431a16482cbbe3f4319d5eb8034bc4c2651deb653d22a4ce8827ad42af9fa0bb0bdc0da9c7466e74075ae4a4cfb8a265
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0Filesize
6KB
MD5532537d68b2e264fbeb68f13d896233a
SHA189376fabc26b1d81e413fe8a80d5864d9450b934
SHA2561c8ec69dd777328638d9a3594859a3e4a5fdfc54378dc35a3f5f72271f072d23
SHA512d8c9f7884d790ce36d2dffecdf16e0f1cb4304c712c9969534b243450a8002b12e5340cd8d3e9b3269cfba872beee760a6d476eaf6146d8ae7ea01342bc15964
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1Filesize
23KB
MD5a8795a8ac3c6bdfbe7081fa9a5ec89f0
SHA11d9f0f3464662995e5027406cd86189077d877ff
SHA256ccef1465771030d1fbbad070fb8b9be72ac271ccc1e05a87ee490d4d9761fde9
SHA512e7144ed6e10f449f419b5406ad50c92af6ad682d0742b6acb873329b21b134f30a5c705fbedbb2662d29f82598b3afe417ca5a6c5ac8d3fb244b6ff847498fb9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\b6c28cea6ed9dfc1_0Filesize
1KB
MD5512fc09937ea269f2e650f017401aa02
SHA14f2ccec6ceca742559f5f718b1756628dfe9d8fa
SHA2569ef67507383094afa553edc56b6ac36af7dcf0d454cccb6c2106c8f2c0b9150f
SHA5125fc493d5fe6b07ff12ef73c219b007c9793170bcc61b1452eb2211d4c261ce9ab14fd6ab85574e2ac5548951eccf394fa2b4e1937483a74326c34d780d2bfeaa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0Filesize
5KB
MD5a1a6f02f65b2ae5fb71c8d1fb2675f28
SHA1244938d78cc48a0740832ced69a7c5579f5b27a8
SHA25620840a3c6ed6b914befe13ccd9a7b966954a83fbbd370465d3fc881eb5993e7c
SHA512d3be2493d6d1a12a5bfc223dcabb601462f6cee6a94f5372cd65ed033aefcae0da4418771ec30bafa2ad276547b7173af25a78fae040befc7adbb30e4b0a7603
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1Filesize
13KB
MD51362056e155f54c48ff3f45f81f202fe
SHA1da775a7da37ac3e223a3f2e998193934922d8c4c
SHA256c7fded1c0b8a387018dfdfa9b945431b9d148709200d0ca3b87d0d6c0f9c6f25
SHA512de9453607344e6fa4441d821ed0599cea8ed75f3cda829e7e2e9205f413bc208f3a7a04d307cdb14c3491c4cea9ae18544cf5c8a3adcd71e8a6fabfec12ffbe7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0Filesize
2KB
MD52690029234fd164591029148441dd9ad
SHA1baf315b2a36b2381906e9009ad708cd3a38ba023
SHA256ac49454117046e463b260c3da1d2af19c87bdcc13d988eea47512a0ae157a229
SHA5129d870ec1c1f17fae18f1b9e33803111a64fb273e736c46296cc89929dece220518b7a893b7d994599ed33bc2cbd63958516b61c2c8d015086d2bc041fdab8a17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1Filesize
3KB
MD59d1c247a3d1b1538de4d70194b73d88f
SHA1052520cab11ce1ecfb88275a9771bade92598b5d
SHA25636177006687ebfc412b458e217f023147f49c76a96daa10580aa493d404f857e
SHA512f61d4bff5d807b347b74ee5f14fc6167874c005b994331b866e207769e933cd6bbe04e7fbc8bf2c75fcc1d690abe777b801118946c8b8c902b04f2537fcf14f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_0Filesize
3KB
MD5c4f6189ad889099d5681b6875919214e
SHA1134cff1992a4bb7f42582d3dc071b09cf8649939
SHA256b0cb8c608c958e542dca9c855adc8197874716c37a91fea5401bcadbf0dc80d3
SHA512a6ebac5ab9eb20d2e8c160a813097fd815b798ca1225423e22f7827b1c3844a539c77c50ef0fd8545cd92fbb10b4a069b524e68539b7d8b8d5bbe221d11e5cdf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_1Filesize
10KB
MD58a708e4d0bbb6e825d48a4311b921641
SHA16c67a8a23a24fb66fb755eb5da39f005c0158448
SHA25694a188d4ea9b9358076dded0098a0074e187d055a0a076433f5150e9e6ee5e89
SHA5126654534e2f127c302ecc3b8dd1999a086c0e6278bc2fde9ba7852c98a5ab5042b3c0aa0b766b377ab8f91a5cbc14659fd15fe44a50d15ffeeafda19ec1e7ea88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
240B
MD5e010444e109927273ef5f506c06d9d1d
SHA1561f69e1561b5389ca56ca2df8ab02e1a54f6f8d
SHA2562b115c7d5bb76f5196285188b1113cae1a56303a3c748870e49f5c0e84e0904f
SHA512e54a5ff6fbd9d475960fbb0ed0efa4830b29c596390248aac58b45f89866e26f0bd38cfe6be24ccc1bc615d17731a873ff8eb00b60516470c1f156b93f4371fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d958.TMPFilesize
48B
MD51ab2a9919ae81a5de6cf86955fb9d24c
SHA1e7e82be3fa1a514c7d66346401ad775b713c24a5
SHA25633616c8da62486baf9b283f3edb7c12fa4a621b4f296a0bef346ac95db9fddb5
SHA512f642bc317e75c79c42e609f39b3bbcafc781ef7b0a0e214394bfea34eb3e0b4b3879eb5ea22ca3dcdc4bbf875add88d778766d1a660038def9205c1c375f9119
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD52236865c3fd18f8f2a8a97efcbb075e5
SHA1788bd015708a25c784f9b9afc073214d72d7097a
SHA256f188b5d0cd2686df08a244f47534c5819e3ff860528e3b68a4251af78377ce18
SHA51269fc744296563508c35ea33148c0b320e8a5c496ee1da60f4a7a4572f229e9ec98b4788a1063b6c4b9021d0ebcd6705d0c6a427987b87f6847bad534c05da6be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5a586c1955bc08f2374a7a86d390cf2ad
SHA1d2edeb6ed5f553f9f0b123132fbc8a06dd9db2f1
SHA2561417b9a8ddd68e9713f9494a180032473b3bbbbbff844a7f612cc11978f6491f
SHA512b9b5bb6adb6761d7e4a9c236323c739137f715d155b336bac88cac1ae5f18d19b15cedce311b222ddee19ab40d4edd1d25b701029fc003ea73eded30d8f2e124
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD50c186aee52adadaba287f5998e9596b8
SHA1ba3ff720164cf74cb058b30704520ddc103245e5
SHA25690b5237bb8c7dcdd2d9de6d62a697f24ed3626178203d4f280f017864f13797c
SHA5122d3e90ab2d1358c570f3ff5728647fff6a4046b4134d38264ed4df61765b5a8cdcb963b8130a056f071956f3935ce511a008af7b8fb234297a7594229e10e05b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5ca9f7364ff75b8cd1970e8e78e01d7ee
SHA1d4d2322d2dafe63be6b264f09968e210b8e7d588
SHA2562fc57cf4ddddb5c7a681be2ee870a8ff48f89446ec6941906683cdaf7bcbd76b
SHA5120ee22de955c44f2935e92505063d8b6ccbc508daa69c15e0a3002a96a6c5da6458fe0063e7cc0b74c25f200076ceccb7af0c14ec29dadc8d41ceb2ed640dc13a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5d6590f3e4fa84ef4d997a94f5302c117
SHA1b407e377e8bd7ca5fbf888160ed548449f178a29
SHA256cc78fe8a0370e9d64003878662408d92ec42f16ab366e1a921cb4b8617863257
SHA51212296b5242e6bfab51951660470becff6fc33a95d32a4c1b746e800ca527fcd8b3f15e62d6e0bd1d5ca02998c6936d0d0a2b1bcd33fe352caea9078d7c826a40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD50577afd0ae0efa278c19059be589ec28
SHA177037b543cb79f5c06047ca7b4174598cb6d6058
SHA2569c9b6e3d1e83c7b6ff7bfc7b781171667518923355ce638cffdff98a661bfcd8
SHA5125d357c4cf0b291ee8d4699cf49762f3ad1b1d1a4a00eb56e1a2eae3b959f0ae1dbce584db56b6aa6919c203d5bbecc2c3b77daa43a33013c4fa7010ee2cee61f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e3c8.TMPFilesize
2KB
MD537d0a77b80b96c4cf692c2014cfaa6a8
SHA111be72accfb13be61a8c360c15749cfbbbe53b84
SHA25680bd52394dd5f72c1a340130d4ddef90b09764a2e63bf5ce715ac1271fe1a32c
SHA51252c6e7554781adaf332eee3d9da975fa8daf57fc42b295c4e1fd6f869098e5b38d59a40b7326e0c5baa8fce66886d1c8dad0659969e4b49d03e74c3d9efd4ada
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d5258836c15a65033ea202a5b1dc8df9
SHA18dea5bc0043e9f7e3b0fcaa69ff52f5474eb0029
SHA2569bff6ddeda39572f5e3d05643ba67058afc2c5ab2436a7362c5b77e3ce26b360
SHA5120ddb15336f7004be96a749d849e7f35be299e53b8cd7b51eb4c9f92a572f21c3f4f332493b79a652c44431d647b9836256e352acfba1eacb394c9b5561bbea8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c05d35d5b1e613916a5569862ec6defc
SHA16c821926c53342451255fcd6a75d9c4e642cdeaf
SHA2569df7ebd3a97d4bf27f95ab50f1b85dc4ac86c0285bc5881af264ffadf95a396e
SHA5120d093a97e2791e2e5a891909d36585070f74ce29b8b5568338751cef5aec8e1f608afc09db9a70444b66979e20fb0c67fbdbf1d8f714ef131b5affc1fde5feb6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD53155e4a6f7a61bdb9b5567e434e025b1
SHA154829c1abc1f4df7aa546f23bf6422f63734d5bf
SHA2566743fcd4c72ac0f0b00cdf32b49ea4efdb527079a1f2409b96b03c2e7091070c
SHA51293a53180190a8ee60447b7002a1e7e34179706569fbb6c883b0f39313364eadcf4e32557debe9f177f70fc066dd9219eea89d0807830298c4c281fd47dcd0a85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ad608d96-8c8f-4ee4-b300-960835ce56b3.tmpFilesize
12KB
MD55637fab1b80f58e5a3777d76f3796bcf
SHA1a53f508ea2fd7f1aa9d0a366ff316a0845bfb66e
SHA256a545745ae3a9c9e67b8f91ecbcb23a1295b0dcce626147dbb70e419d87f14b49
SHA512758c426eb3a89942def2a9f1900f25aa754715a1221febd6575edd273c1b5464af532c52ea0b93addc769b8dd463e2c6a18c4868e914cdaffae1efe1e845b0c7
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
1.8MB
MD59b2c72e7e6087cfd19a0cdd647dbf4b6
SHA1ad81fd66fd1b90cef1c99e24a81ccbfb50456edb
SHA256480f8b02b8fe64509ca505c731cea08ed5f73d9a36bcd48fcdcccd06dc661a0c
SHA512cc1ecb3de75d633b29b5498a7439a9233a9af3a0b60a1406dd100b41a3feaa64feaafc4d3a5701ab4a47d0da1dfca02b5adf3427b5da4e2f81e8e26dce7a61c5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\activity-stream.discovery_stream.json.tmpFilesize
22KB
MD579608722bc760f865ca6a3a1447e0891
SHA1815945d977879cbc6b0f2c9b5455327f6c983be9
SHA256820c3371360517d974a6f6b2112856b19d08c7163e8fdd37d3eeeb8142344d0a
SHA5127e4081efc65d129d7e8c1fd71798734485994b067e52c3c06d512b461d267fe59522875117fe44f2e1e4a072c52da91d36ac0ae6e1b82778f3e91dec0bbee37d
-
C:\Users\Admin\AppData\Local\Temp\biksoUUE.batFilesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
C:\Users\Admin\AppData\Local\Temp\file.vbsFilesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\extensions.json.tmpFilesize
40KB
MD5ee65e9604c9ff177ca35b2c354bcd422
SHA133cea73737485bc8223a5540c735ddd4f1b52af9
SHA256ccc91084a260135cb38da90bfb94d81c1be1df0c7703d0bbfdb9efb1552b6829
SHA512ba81010d7e55ab029c061b706305afafe450ff57dba17dfe99c5d6ff20948b8b33edf182ad15b59d80a62b3953825b89d65276f274de31e45b671b60b92bbec6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs-1.jsFilesize
6KB
MD5e351235e59849f578ef9d5b96bd76be4
SHA17bda3156d454e8fc4eacd78c6dcf40108b03772b
SHA25633408fc23aafa6b3410239d3a24a95755d993482a12c818eea61f2d5a0e8403b
SHA5121f9660adf1bd509c0e9f79c3f0051f2470383dd3de8d685c8b437f9e6cb4cf9187957eb624eb686708e9f88120217e6e282ea0c4cf1c34e31de628450f042c47
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs-1.jsFilesize
6KB
MD581986a2f36380753d4108a92883afbc6
SHA1e98754b3d05ddd0d44100502ab7f45f4b48142b0
SHA256d5f6af5230231d96874c4bcd035ef2f7b5d35113351f77391f9666df7d6ea467
SHA51228fa220f7ed6bdfb8c6c5a878f24defbf069d9484b5e121dab14d6eecd0a856d8b14cb6b9e15c2d04f586e2fcfcce10dded384a5855e199a32c865c5316c609f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs.jsFilesize
4KB
MD5cb85b8e7b521b824f6a9851a4a00a0f5
SHA188774ba8039ab691cd2290a7c09e1403d042a85a
SHA25609bbfb17d59a2120b1e080699683b222c66e4b2beb652fb7a1384aeb353f68a0
SHA5124f431e75f485cc10ef8d5e3ed7f0d8f17141a536091db6420d3718f9fb13959dd2cfd010ccd4f2ec7b5ebb241cbd28911731acc766797ceac0f10d22428ea4c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\search.json.mozlz4Filesize
402B
MD562bf51b38328644a7b0b19255f01670a
SHA1ec721b2646846245f5e6746dae3a6a1038bd1000
SHA2563a533c431f168afbfef69e3c2f7a9636c57356d05a9523ba15d0e86df772affd
SHA512648b2279c4f8efcda32a3d3de913673bdede68548f893cfa60a847bd8dc33e79528afb12b443b55a3c9a6bf4befb8a565bbc4f82853a27a6dab4148af7184f2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5592b8e4989c4e00d0e337838c0440e36
SHA1bbde9e914e05c4bc7c9c955626e0232c99b3e08b
SHA2567ab04e1c8ea5b50a7c8f233f7c305817a9ae5ce3a7d1d3c4235054bbee64e0f3
SHA512c60f0af16068f46a594a2f91b2141055a439470e5b5842d4da649f0b70aca4ba6d9ab85314177e56d279b110014ac6544d5adba38390c9ef5a8012e7b55506a5
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.newFilesize
9.1MB
MD5aca8cdf4dda3d92af8ec1223cb007117
SHA1011112a0e6b24470937cfb7d64067a01490545f9
SHA25637d6e9396216809b7f65e050a879c52fcad749010edfa398d32c79068b709bdf
SHA512468e7e94b1a086fa5c9946d632c27f81e25736e6b781b54d1648f3a0d5b3f0c10c8578340495a79dd881451681cba0cac4ac13fdcdda6aa0114674866f7c98a0
-
C:\Users\Admin\Desktop\@[email protected]Filesize
933B
MD5f97d2e6f8d820dbd3b66f21137de4f09
SHA1596799b75b5d60aa9cd45646f68e9c0bd06df252
SHA2560e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a
SHA512efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0
-
C:\Users\Admin\Desktop\@[email protected]Filesize
1.6MB
MD56d969d99b8aea031e8772fb8fdf5a4b3
SHA164550c0ae8f23c88e5465d76737a3ebfa61d10a9
SHA25615d4ffcf7935b41f7a5926c90f178643428f54a4c2adc575e35cae76cb1484ad
SHA5126593d6c9decaf4c2581d0f30bbbc8f761efda907fd0a7ecadf5603f199660b46c8f329609cfa425213c7476270edad9cd887eaa0340464829e5a9d61a4f47727
-
C:\Users\Admin\Desktop\TaskData\Tor\tor.exeFilesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
C:\Users\Admin\Desktop\b.wnryFilesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
C:\Users\Admin\Desktop\c.wnryFilesize
780B
MD5383a85eab6ecda319bfddd82416fc6c2
SHA12a9324e1d02c3e41582bf5370043d8afeb02ba6f
SHA256079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21
SHA512c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252
-
C:\Users\Admin\Desktop\msg\m_bulgarian.wnryFilesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnryFilesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnryFilesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
C:\Users\Admin\Desktop\msg\m_croatian.wnryFilesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
C:\Users\Admin\Desktop\msg\m_czech.wnryFilesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
C:\Users\Admin\Desktop\msg\m_danish.wnryFilesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
C:\Users\Admin\Desktop\msg\m_dutch.wnryFilesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
C:\Users\Admin\Desktop\msg\m_english.wnryFilesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
C:\Users\Admin\Desktop\msg\m_filipino.wnryFilesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
C:\Users\Admin\Desktop\msg\m_finnish.wnryFilesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Admin\Desktop\msg\m_french.wnryFilesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
C:\Users\Admin\Desktop\msg\m_german.wnryFilesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
C:\Users\Admin\Desktop\msg\m_greek.wnryFilesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
C:\Users\Admin\Desktop\msg\m_indonesian.wnryFilesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
C:\Users\Admin\Desktop\msg\m_italian.wnryFilesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
C:\Users\Admin\Desktop\msg\m_japanese.wnryFilesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
C:\Users\Admin\Desktop\msg\m_korean.wnryFilesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
C:\Users\Admin\Desktop\msg\m_latvian.wnryFilesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
C:\Users\Admin\Desktop\msg\m_norwegian.wnryFilesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
C:\Users\Admin\Desktop\msg\m_polish.wnryFilesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
C:\Users\Admin\Desktop\msg\m_portuguese.wnryFilesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
C:\Users\Admin\Desktop\msg\m_romanian.wnryFilesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
C:\Users\Admin\Desktop\msg\m_russian.wnryFilesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
C:\Users\Admin\Desktop\msg\m_slovak.wnryFilesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
C:\Users\Admin\Desktop\msg\m_spanish.wnryFilesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079
-
C:\Users\Admin\Desktop\msg\m_swedish.wnryFilesize
37KB
MD5c7a19984eb9f37198652eaf2fd1ee25c
SHA106eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA51243dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020
-
C:\Users\Admin\Desktop\msg\m_turkish.wnryFilesize
41KB
MD5531ba6b1a5460fc9446946f91cc8c94b
SHA1cc56978681bd546fd82d87926b5d9905c92a5803
SHA2566db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9
-
C:\Users\Admin\Desktop\msg\m_vietnamese.wnryFilesize
91KB
MD58419be28a0dcec3f55823620922b00fa
SHA12e4791f9cdfca8abf345d606f313d22b36c46b92
SHA2561f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA5128fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386
-
C:\Users\Admin\Desktop\r.wnryFilesize
864B
MD53e0020fc529b1c2a061016dd2469ba96
SHA1c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA5125ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf
-
C:\Users\Admin\Desktop\s.wnryFilesize
2.9MB
MD5ad4c9de7c8c40813f200ba1c2fa33083
SHA1d1af27518d455d432b62d73c6a1497d032f6120e
SHA256e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
SHA512115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617
-
C:\Users\Admin\Desktop\t.wnryFilesize
64KB
MD55dcaac857e695a65f5c3ef1441a73a8f
SHA17b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA25697ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA51206eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2
-
C:\Users\Admin\Desktop\taskdl.exeFilesize
20KB
MD54fef5e34143e646dbf9907c4374276f5
SHA147a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA2564a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA5124550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5
-
C:\Users\Admin\Desktop\taskse.exeFilesize
20KB
MD58495400f199ac77853c53b5a3f278f3e
SHA1be5d6279874da315e3080b06083757aad9b32c23
SHA2562ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA5120669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4
-
C:\Users\Admin\Desktop\u.wnryFilesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\Downloads\AEYs.exeFilesize
265KB
MD564a771e08cd186b0581ab21644a976de
SHA10a3dca4137485b53c4246e324e54ac08aba1d830
SHA2569a61483087c81971856dc6ed4bbd2c71916e7abbda0c7f2830163ce4777e21ed
SHA512f6300023495f470d5b2a2102de465727bec7158e6c26988c886f23dde40c6e2baab3509c78325330faa5b2ab942d0ba8e23d1d9ad1f6b85f4658f2b1a9902d7b
-
C:\Users\Admin\Downloads\CggY.exeFilesize
231KB
MD58eb7165936bd0fab1ce827c0d1ff641d
SHA118d48094206f41c85823907b501dbbd48a67b9d6
SHA256e02c09b467f71d4c995ec767273f985bb09aa95d13add94efeeb026b3ea3a926
SHA512f8e42c7ce5704996081e9d7ba0ff4cbc4ac66b9917a9deb5e1d106eb6372bad26abee3a14dcc90a19a36211ab3019798edb5c012ed1fdcfeefedd52c64b87f2c
-
C:\Users\Admin\Downloads\IYYA.exeFilesize
426KB
MD5c410f2cffaa700ad8da1ff011a59e116
SHA133c022c65c6de9af659bf86bbb1801f115d58709
SHA256521573f66529ec3bece3b3f91d1fa707cb73a95814f4c8d70ecef69d9d64f2ef
SHA512d9c4f8352a731cff3782019ffff55009ce4135e5bb248bdcf0173ace98a08a34d4c96b10799f7d4803d209ebae6409168b0a5003b14a288e3fe22a983ced6b60
-
C:\Users\Admin\Downloads\MEUO.icoFilesize
4KB
MD58ff64aadbcb8620bd821390e245fa0e6
SHA14d03910751bff2987d165c7c43e52851ae064239
SHA25638d6a9052a4fa9fbd656388704522cb851247c32650c387c19b15cd28ff3b6fc
SHA512b5d4dc4bea4ca5c7238d875f2f934f5813b97100e364a16c4c6bc800e9a6df06a3075d7807d8ab42e551faa3f8a870b21abb61ae4816ef95f0e7163df5f62ecb
-
C:\Users\Admin\Downloads\OAoS.exeFilesize
1.6MB
MD5e92baf8ef75db231d7013517061004db
SHA1139e772bf051b21c3ab72e512b2dfaf220d74f3c
SHA256e3b9c109239d64e78a4e5eae600602031ff9eb32b6d79963d49aa17516001714
SHA5125fcc072a9234970cc7b0a8a6f0aca4e4391ec24069434ca84153ca5e0d66cf99b6820f9313562ea9277707be455fca1dec8fe69e7a9b806b2798dd21edf49a60
-
C:\Users\Admin\Downloads\PolyRansomFilesize
25KB
MD52fc0e096bf2f094cca883de93802abb6
SHA1a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA25614695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA5127418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978
-
C:\Users\Admin\Downloads\QAwO.icoFilesize
4KB
MD59af98ac11e0ef05c4c1b9f50e0764888
SHA10b15f3f188a4d2e6daec528802f291805fad3f58
SHA256c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA51235217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1
-
C:\Users\Admin\Downloads\QAwg.exeFilesize
1.6MB
MD5dafd1ad577a6f4801ddfb1eca62c5169
SHA1d77456069dfe157d1678d908ca3f042b021af0cf
SHA2566ecbcc64e22999bd671a765ba5f37a611f4cf53ac4b094d698f8ebd8d1ea256f
SHA512bd7d84a608efabd1a5af2179401030199c4a6266b81a3b75a696d0fd5551f898f906f6e0a800daed35451bed732ec43b679a41cb625ea216f395b1a000e48e0d
-
C:\Users\Admin\Downloads\QUgw.exeFilesize
221KB
MD5607a82a30aa216870867619c047c10a9
SHA1208261c0a3eb2c64c2d5ecf80077a62063bd2d0b
SHA256fa49691297f980b2349d457476fcff374ae859de3003072ddf78129e31584887
SHA5125470a846b8b9fc68871148f50ca351b4e9b4b9e29fb73034993348d8d570fae4a3215c1cb731151f0f4034036c35b2aa238cc6df7d4880d21e2ff9b27a280ed4
-
C:\Users\Admin\Downloads\QkAm.exeFilesize
653KB
MD54d25c653151c17679a5314220e53eba2
SHA164730753b838e70368cfcc78c0188ffcb271236c
SHA256c802cec34735b606b9385249d139cec84cf77d00a2609a3e55afec4ac2ca7d45
SHA512a0f7f1f0202fc2e001457bd08ebb76e8bd837295239018acef1c38c5baf7efed3067b4a2ba807aa0a6c49a1c05fb39f73454c362389d4b02c8993ef5019edcec
-
C:\Users\Admin\Downloads\QowG.exeFilesize
433KB
MD547d5f7b2ae8412618aaafdad188a4795
SHA163fc7cc631c06f433b819af284600e9b44156ce2
SHA2564850e41e1d5cf14951609bcb1b5d7e16f8881837c76ef49630502d23a6a81497
SHA5129837ae6b348a8f0154e5e4074c249a586ce67a53f9c787f20059a6ceb67cdabf496f4a81a44e38e0ca5e787f4c36727e84ef83d821e96734adf6870e1d65c234
-
C:\Users\Admin\Downloads\Sswa.exeFilesize
429KB
MD53845b483c08b38909ba9f58425be1d0b
SHA13bc27ede3a33d31d778c5709357ce46d2ab2612a
SHA256ff013d380a7db697a4d18de01fe2ce67d4b31ad8c400ab4156157d23a5525b0f
SHA51276e1568c1c6e61f860c2ef49c64e4ee7f87e0d97dc16cb4b853a23329d8a558c1f7b1d2739a792fe03a08f279a05da8c5798e14f767419228c72d2655d5b69a7
-
C:\Users\Admin\Downloads\Unconfirmed 296940.crdownloadFilesize
84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
C:\Users\Admin\Downloads\Unconfirmed 306455.crdownloadFilesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\Downloads\Unconfirmed 922663.crdownloadFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\Downloads\UssU.exeFilesize
430KB
MD56c80aeb1ffeec5ca95f344ecea760797
SHA1ae200ede102c365d93445ddd293141f51b01d49c
SHA25677fcf42350cacb51da884431cf51705e023ef285b13d9df8d39393f245c4338d
SHA51220e7b44e9f1f6676174e217d355be3d7df5e89b6af8f56623b31002e6cb158f3d3b049eb3aa5217b67519031abd448ccf286ef904126ad7c3faac853fcf95339
-
C:\Users\Admin\Downloads\WannaCry.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\aQIE.exeFilesize
313KB
MD5a1f7715687baf02c3bca9c2b68c207d7
SHA1b5ba000be83f9f402a4c556972eec898bf5fcdfe
SHA2566c0e231d24663d34b4421e7eb3e8171baec614992f6c9f58c89759c2325ee071
SHA512874ef0035fbd42ff7b7176cb155ed42b9800a2d09063765bb51eb6120d409eadbe20f2c0ff6854a4e17852dce6e1cc190b19ae790ae62d5d9fe35d165b8ad919
-
C:\Users\Admin\Downloads\cIAu.exeFilesize
804KB
MD5b06d1ab9d89f4d2dd1d52691ce044b31
SHA12c117e62aa2f15c34330e15d178877fb5ee8731c
SHA256b72f898a937446abe6a9108050a48de5daa9ac60e0b034009b2b67e9aec2829c
SHA51205e37e229d97628e62d68ff5af0153513d80fd4cd6ccc4302daf75403d30d6a87f9f5f9199440833a42c5069e902d633ca4383341d3f1b2fbce7e7b6fdd9c378
-
C:\Users\Admin\Downloads\gQgO.exeFilesize
636KB
MD5e54e9321c6bf8cf8045b84f87fd69ee8
SHA11eb9e3d9d5e0b935be84c050bcd509b84ed44d0b
SHA256d3765f0c086837a6dfed6526f293649fbc9d61c36d364ce95eaeac9dbdadb761
SHA512316f244baf464777fff686bca7d3d059548eec5cd0d8835372d4b81f784c9be6acb452a75e4e20925f0465b0ecdfbe2d262ab9de4dfc53863101c9e3c06d796a
-
C:\Users\Admin\Downloads\iQMu.exeFilesize
821KB
MD559044ecbd6ceb11be676717f06617a81
SHA17890aab5c8ee9ac23a95ea3ee286acf8509a08c7
SHA2561a0ac69270756e2ee95d14020d1700df0e3e099f3b19271bf728d95a6c0c8ab3
SHA512d9fa079850403b80ec9dcb6da6ff21dfba779470c3befc120714828a399e4443501128e817cba5a18d3520e9617fae80721ada82fc034eb3a3813c321cc71ec6
-
C:\Users\Admin\Downloads\iQgm.exeFilesize
444KB
MD57083774e777bae42354ebf7c512644eb
SHA1bf54448004987a1013f868d806604f69ed72f5b7
SHA25637b67a0865382377772069c208c8eba02e59463d4ae3bc19548758507f3a152c
SHA51274d9e7378d4b5d839ca17ff9a4921b9f75832834faa460ffcebaf6a021b72a15e2d919010105b104dd40b75cef3887ee464fcdfbaa7d0e132b3f8291432ac7a5
-
C:\Users\Admin\Downloads\mMoi.exeFilesize
213KB
MD5448c98801b04466931119ca51feb1033
SHA105e6117d8e51f78811465c1a5edb1b7d5f3c3cb2
SHA25650bd3f0cb9384fb40651f8b860e7582dd496d565cba1905b9d4df97fffa45f0d
SHA5124d4fca179025a4d8105b9dcccc0fc3d3a16453b6154a71f6f08b6a84ccb15468ab2a561d0316675bf692711fdbd8274b79f78f4be61f5468c556b9ee1aa0a8c5
-
C:\Users\Admin\Downloads\mYQQ.exeFilesize
424KB
MD5e512c5b11d4cb8c201c727fb37c3678f
SHA1966d76fa2396b86af5631d153e2509ed1769d30e
SHA25656860171569babf789c6e07bc3443b4648e5a16546e30cb5756e20bf65d4f4e0
SHA51268a4948ec21e5e4408022750b048d3553231b39377cbdc716dbbe5065503e058c16e8e4751ff5dffecc2fe55c6843500911cbb42d7a32943d53f80f6524a828a
-
C:\Users\Admin\Downloads\oUIS.exeFilesize
221KB
MD5a03578992477d408954b63d410589ae8
SHA163e61a952e83dd217fd0025ce2568e671a692015
SHA256f0200515265d250009eca9d629e6a5986e4a85279f0899a1084db48dd1660091
SHA51271f0013333db974d36fe4d04ac7594e2e5978cb029aef8ea59a997c10235f833be9159602f086dff32d05ca840b70b7bcfbc9c906f7190bdec9bb52ce008a760
-
C:\Users\Admin\Downloads\oUMm.icoFilesize
4KB
MD5d4d5866fa12a7d7aeb990ba5eae60cb1
SHA1a1fdfc36c9500844fe0c4554fd60cc95808bb9a8
SHA2565388384511211df8aa81844cff67add9646c8196456f34bb388c2bceecf5f2b4
SHA5127e8537da4047e751e3613bd089014d6ba3f4418a6d8f71c2cfdde146c0ef83895e74417ef19c30a63adc1d38fe0c1f8fdee3f2eb5bb0146e5043f06c73dba06d
-
C:\Users\Admin\Downloads\uooC.exeFilesize
423KB
MD55720cf6dbbbfb9cc0bab9a442d72a250
SHA15c65924c2af42a79c4527a41b1e40893d556291e
SHA25635194b6f4fa94de67bc4a36867bb2446e11ddd3b281752e0d9c20a0f7f04e6f8
SHA512505e160a784f166df367317e00b91a1c0b00b2869397b3e59d3593fd30e45afdadc2b12e2fecba5eda9e3c005842e73ecf2dc100bfd0fa869dd875481b6ed466
-
C:\Users\Admin\Downloads\wcUa.exeFilesize
794KB
MD57f8dc2258481b690802b1b74bee00c3d
SHA164b2ba943723057cc5091098ca78d27c2793052f
SHA2561e6cb8e92d2f5d4f9334b14835a4c62bfb166bd636bb085efeb0038496887d0f
SHA512c6c5513d98276084d1875f28f0e8418c2a529d622a03bdbd0446cee3d7dde263ea036208f035fcc2b3479073452c334ce0552d079887b0da9534f0fa8471547e
-
C:\Users\Admin\Downloads\yYki.icoFilesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
\??\pipe\LOCAL\crashpad_3408_WIDKJXHTXWDALRNFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/440-3570-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/440-3545-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/620-3433-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/620-3407-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/676-3342-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/956-3290-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1000-3474-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1036-3459-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1036-3439-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1044-3124-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1044-3114-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1224-3099-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1248-3225-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1384-3098-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1484-3161-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1484-3446-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1484-3422-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1484-3179-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1492-3575-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1492-3558-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1644-3217-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1900-3367-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1956-3347-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1956-3362-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2060-3189-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2060-3175-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2068-3502-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2948-3604-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2948-3585-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3048-3556-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3048-3539-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3080-3160-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3156-3385-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3156-3403-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3208-3207-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3208-3198-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3352-3351-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3536-3527-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3892-458-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/3992-3088-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3992-3103-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4024-3432-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4032-3552-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4032-3531-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4068-3600-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4068-3104-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4068-3115-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4124-2825-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4124-2823-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4608-3152-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4608-3141-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4696-3508-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4696-3523-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4912-3311-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/4912-3329-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5132-3132-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5132-3123-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5176-3302-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5176-3315-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5272-3199-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5272-3190-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5380-3450-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5380-3423-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5396-3579-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5396-3595-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5444-1924-0x0000000073690000-0x0000000073712000-memory.dmpFilesize
520KB
-
memory/5444-1952-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-1886-0x0000000073740000-0x00000000737C2000-memory.dmpFilesize
520KB
-
memory/5444-2022-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-2032-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-2038-0x00000000733C0000-0x00000000735DC000-memory.dmpFilesize
2.1MB
-
memory/5444-1889-0x00000000735E0000-0x0000000073602000-memory.dmpFilesize
136KB
-
memory/5444-1890-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-2048-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-1975-0x00000000733C0000-0x00000000735DC000-memory.dmpFilesize
2.1MB
-
memory/5444-1969-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-2011-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-1937-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5444-1887-0x00000000733C0000-0x00000000735DC000-memory.dmpFilesize
2.1MB
-
memory/5444-1888-0x0000000073690000-0x0000000073712000-memory.dmpFilesize
520KB
-
memory/5444-1922-0x0000000073740000-0x00000000737C2000-memory.dmpFilesize
520KB
-
memory/5444-1927-0x00000000733C0000-0x00000000735DC000-memory.dmpFilesize
2.1MB
-
memory/5444-1926-0x00000000735E0000-0x0000000073602000-memory.dmpFilesize
136KB
-
memory/5444-1925-0x0000000073610000-0x0000000073687000-memory.dmpFilesize
476KB
-
memory/5444-1923-0x0000000073720000-0x000000007373C000-memory.dmpFilesize
112KB
-
memory/5444-1921-0x0000000000040000-0x000000000033E000-memory.dmpFilesize
3.0MB
-
memory/5504-3262-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5504-3250-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5524-3280-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5572-3497-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5572-3512-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5620-3144-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5620-3133-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5644-3395-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5692-3244-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5720-3396-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5720-3414-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5736-3245-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5736-3254-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5744-3540-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5768-3481-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5864-3467-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5888-3369-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5888-3388-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5912-3226-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5912-3234-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5912-3289-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5912-3306-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5916-3498-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5916-3485-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5932-3379-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/5932-3364-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/6020-3319-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/6020-3334-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/6056-2795-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/6056-2797-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/6108-3584-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/6108-3563-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB