Analysis Overview
SHA256
29b0ad85d3b2aa2292848e5f0ec1f0b06d0c8cc53a7670bcd46cc4f84ebe597d
Threat Level: Known bad
The file qrcode_tria.ge.png was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies Windows Defender Real-time Protection settings
UAC bypass
Renames multiple (75) files with added filename extension
Deletes shadow copies
Downloads MZ/PE file
Sets file execution options in registry
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Modifies Windows Firewall
Disables use of System Restore points
Executes dropped EXE
Reads user/profile data of web browsers
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops autorun.inf file
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
One or more HTTP URLs in qr code identified
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
NTFS ADS
Uses Volume Shadow Copy service COM API
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-09 16:13
Signatures
One or more HTTP URLs in qr code identified
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 16:13
Reported
2024-05-09 16:16
Platform
win11-20240426-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Deletes shadow copies
Renames multiple (75) files with added filename extension
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\NetSh.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwEgMQIw.exe = "C:\\Users\\Admin\\ZGsYEYkQ\\mwEgMQIw.exe" | C:\Users\Admin\Downloads\PolyRansom.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XewwoIoc.exe = "C:\\ProgramData\\nckoIowA\\XewwoIoc.exe" | C:\Users\Admin\Downloads\PolyRansom.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwEgMQIw.exe = "C:\\Users\\Admin\\ZGsYEYkQ\\mwEgMQIw.exe" | C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XewwoIoc.exe = "C:\\ProgramData\\nckoIowA\\XewwoIoc.exe" | C:\ProgramData\nckoIowA\XewwoIoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Nope.txt | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "203" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597448531665100" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry key
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\RedEye.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\windows.exe\:Zone.Identifier:$DATA | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" | C:\Users\Admin\Downloads\RedEye.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Downloads\RedEye.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\qrcode_tria.ge.png
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae599ab58,0x7ffae599ab68,0x7ffae599ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x214,0x25c,0x7ff71a3aae48,0x7ff71a3aae58,0x7ff71a3aae68
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff71a3aae48,0x7ff71a3aae58,0x7ff71a3aae68
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4652 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2604 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4620 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4540 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Users\Admin\Downloads\PolyRansom.exe
"C:\Users\Admin\Downloads\PolyRansom.exe"
C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe
"C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe"
C:\ProgramData\nckoIowA\XewwoIoc.exe
"C:\ProgramData\nckoIowA\XewwoIoc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcYMkggU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKkUAoUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmUUsgIk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MScIscsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiAUossc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pagAwgkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAgYIIws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMwEokAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQgEMoEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUIkoIAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGoIYMIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAMAgYUc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQEoEQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuUsgkAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcwkUQcc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGMQUEMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYEocYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgkkAUEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAAQkccw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCoYIUog.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PewAIIsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYQMgYME.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOEYQkgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MywoEsEc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEgYwgMM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sosEwEMM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgIAwEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWMwQwsg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zycMEAcY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKsUEcQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IukgcYIk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goUsEcUg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waokssww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCYQYcws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGwYkIMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkwYYIUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peoEMQkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AssIEoEw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csYQEgQQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssAEQkEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYYswAMs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGAoUkgk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUYgUwYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsEMEMMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKooUUwI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmYoMYoM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAokMscU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iigMYYUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAAooIEg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paYYkMwA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOcIwscc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgcsYgok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCIEEQEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qscQgcAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEkIwMsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaEwsQUI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmMkgQUg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSoYMgEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3392 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSosgQss.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swYEQYcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KakkYswo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeYkkgcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIscUIYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMkEwQkg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAEQEsM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgwswMwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkMsEAIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOosYwoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oagUgIoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkAkgAwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUgscUEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwcokQEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEsAsEcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkgwYMgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsgEsEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcEEUowU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\Downloads\RedEye.exe
"C:\Users\Admin\Downloads\RedEye.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOAQssIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwsgcwIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIcIIkQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAUkcEMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQMEYsEM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fygkAsAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMMYMUwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOEQYokI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
C:\Users\Admin\Downloads\PolyRansom.exe
C:\Users\Admin\Downloads\PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGsAoEYM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SYSTEM32\NetSh.exe
NetSh Advfirewall set allprofiles state off
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\RedEye.exe
"C:\Users\Admin\Downloads\RedEye.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 00 -f
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3826855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.14:80 | google.com | tcp |
| GB | 142.250.200.14:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.35:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.16.238:443 | consent.google.com | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| N/A | 127.0.0.1:51315 | tcp |
Files
\??\pipe\crashpad_3404_XXQOAHVUJDQVTGRU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0661633932261d77c4754fc769f2b536 |
| SHA1 | d69b5a030c4f7ea726a3ed1a2ec364d6b58acf98 |
| SHA256 | f9105b8b4505ea96b06aa5ff68f48b1b780792fd5d66fa52d32accb676e7aa86 |
| SHA512 | 03298bcb357f9546bb32e96defa02932c602676f7fd12f37a76f209eb62c2228954d8dbe7b42e66ff9983cc2c0855ce50fb8c427444766648666528f9e655062 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1d5f70a872fdf78abac29bc0cfd7997f |
| SHA1 | 234244c36df679b8970fa48df8a6c8f570f3967d |
| SHA256 | 5cd5b1201f50c8fc2cf73cfe11f804ad5f55d9a4521a824ac9753a4292536bf7 |
| SHA512 | 328f38732568970a606db5b4b9229c77deda1dd23ab51a752ead6e43c48c99ac00cddecb7909f2fd3a497ec003e47d89187d21f094979d2bd1daef2f0c83f04f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | da04118d12569223063e1ff048f64a45 |
| SHA1 | bdb4b19470c38e508856c463c8d9bae080c250e5 |
| SHA256 | 1ceb8ab8edfdee9aea4d2cd1b13e8a695f24fb3ff9faeb0bfd3cf8758bbdd8fb |
| SHA512 | 9786e2ab43a1d0fb8f254c003644f224b1f56bb0517543ce7646a283025357b779021c1711ee8e958283c9953242ae2318feff681ecda39ba5b8078d18960a28 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0efe800111205678762f4ea54fab0959 |
| SHA1 | c20a675ff21757b585796c512ad8078da569cd44 |
| SHA256 | 79f3bbd05cbbd7cffa2cd5ef2018bfe4c55d9d0ed174042b01f37d845026c054 |
| SHA512 | 3dbaad8a95a334a95bd30d4f6f3d7a7e8913eecabcc49d19cd858fc188036a2f2694ebd7019c601c351939276a2828feb3ac7d3f72abd29a6a993d54bb054fb2 |
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | 7456235c901a796fbcda597c24898e9e |
| SHA1 | 1d6a9e5fd69e1b88ea1def2b6d2a43f0f13bc222 |
| SHA256 | b1c7f2f6666930e89726a9a0c2f720c866df5075af3f89c9a8ff3674d79d9ada |
| SHA512 | 67d083634583a960be6e7f85a1b061af2b53fa1c8fb48a5631e78c0b7eb2628301809038d8509a986620b1928a5f4ae509d6e4f22d188a836e02d2e6928d8fc8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fd5f146ade9734413bc4f60bd3a3ddb5 |
| SHA1 | 700930827abe836656196f1aaf9de24621f20301 |
| SHA256 | 95bcfbb5e242f22ba2ee8c3567637203a271f4ad23d93a70523ed692429a1631 |
| SHA512 | 7413bafbf3d85acf081e8c591326dc0739d842387e05b555568f9fb89f09cdda1625bf3c9e0dd12d1b8467a61c9c7e4767b9d33df313bf6b4d60cca7fed2cc1a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 61b2978ddb88dc642454eb5dbcfb3c10 |
| SHA1 | ac23b47b9a37804117b569898f17374d5197abed |
| SHA256 | 734ec0238204addc974d7bcd2735bc8d6b043ae24dc48303cf49a34f047441b7 |
| SHA512 | 23128ebb017a2628cf77dc684719ee3f447197a4b7c954fabfb0730f515e4a878e0d7a412d2952582593bc5ddd4ff38e51708f1d9d42a1e522147d39a397c94d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 03e8e346263a595989e27fe5b3cf8f12 |
| SHA1 | 6e86686367ae66915460d4e1d7332fd5c55ad83a |
| SHA256 | 695dd0858c26b8a827ee64533135593a2d44a1f2501453a0c319252925af4fc4 |
| SHA512 | ee4e243999ac43326a1740626f21775582c45829c66c6ba21737c4466dd548b32630db606c5980b051d83f71c6733127ee8b036858e90c2325c81cf5df7a57f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b61a266fd172f16753caf8bce23648bd |
| SHA1 | 484d38c6e8312c55e4191398799ac775fa814f70 |
| SHA256 | 8ba902417e259e5f050bf74587e389411e6eb3707d31e3dc87861b0385392e5e |
| SHA512 | 8593bf2ecc04e549fee6ee3b1dd31ce9c21ea59f4a361f43c4a4c0e98189f43b54f469d8ec4c1bcdea56831251a66b391bf7afacda301348b29c81932fb3559f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 484beec07ce782286d1b48d0595400a7 |
| SHA1 | eb309492de93882cd59a604a545a4f8ba5b444a0 |
| SHA256 | 50194575d8130d8324d0cc567dc7d6a8d36036b57c740ff34b4da8e14379b4c5 |
| SHA512 | 38011779c25eecccd9f48f262c42a62ab92c6cb57d51c321a98f5210a3f92aec9ad930d3083580a86b11e69fa83a54e12815fb21add671accfca0e4fe8005d99 |
C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier
| MD5 | 7689f7bff089c1cb90c9ddb054eebab5 |
| SHA1 | 899fc099b5055428cccbf439f804bf35abc5d4f0 |
| SHA256 | 7600d79cc7a524308380939fee0ab6ffde2d01f3812e02b343dc13634d726e1c |
| SHA512 | 2bad3c3ad2bf1a771ec323ed6b20166f1a06487690bb1469d5b8a64daef01b1a993ad9ff91d7c3c0197f1ed224e5b48e1021984fd9a26ba3b60ca60f46df19c4 |
C:\Users\Admin\Downloads\PolyRansom.exe
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3988a01d6f3557cb779656fd9f625348 |
| SHA1 | 1b7f316536e94f4cf12a27eef20be629ed55c293 |
| SHA256 | f0825165fdbadd3c07d738e1e2f92f060ad3e5ee02f2f8a0e06138a528a20e74 |
| SHA512 | c1fe94d25f29e831f24c014bdcc2cda7693f787c46b7c9c039e17a16e66e390a4e4bfe9e0e2b8c4b0a3b0f759f2ceedab8ed19ef806a073fcb99289bc8cc02cc |
memory/4700-355-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 1c4645d5400a2b5ed5f3499d9a91f3df |
| SHA1 | 85fbc48b58b6f435449bd1f4f723d9abe5e28867 |
| SHA256 | ff25cabd8a9f9c2febc4ad17215a692fc23378c68574210699df78f2a6c0888c |
| SHA512 | 384ca7ec352204961ba8a79f7a02c97cb1020ce33cdccb66ef489fd867760936719fefe85c129f20ddf7c3cd1e107c95ca61f37677a48befd5f7e5f36b263f29 |
memory/4400-374-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2136-373-0x0000000000400000-0x000000000042F000-memory.dmp
C:\ProgramData\nckoIowA\XewwoIoc.exe
| MD5 | a716940337f91117767d0670cc03a256 |
| SHA1 | 8b8ed6ec87b2c5d35449234f16c09ead820ff062 |
| SHA256 | 21ddb903bc94456fe838a3269f8be08a2e55fcc3e75aeec860bb3677ea9fd5c6 |
| SHA512 | 973dbbcf5b9ec596294270330127cf697f228327d3a044f4bf02ad8615a279eb9d6e703362e2d74e54c76509fa4d40308efe7189e1f82ac00e000736307c6bc2 |
C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe
| MD5 | e46c8a740f5c4e3dae6968101849fc6c |
| SHA1 | 8109390709879c467b5a5e65ed9201779252240b |
| SHA256 | cc6f2f17f408649af9814b0330319efad5aec04dc280b0db269788707d7b3100 |
| SHA512 | dab472ed3cac9030b0f18978f458d1fb908b64314a23a0303b97844a9dcdd9ff89bb529723b013bac1fe0667845dec1caf41d89910c8b09832fbc7d7d76eb1db |
memory/4700-380-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RcYMkggU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ca2f6432583f2e70609d1e19f5dce491 |
| SHA1 | 2f555ba65563df7df7691ae4f70d4e4ab538896d |
| SHA256 | a9574c2a623b6ef67b670f256629112d298426e677cb6ac393df1e79d689eeb3 |
| SHA512 | 657bd7b3af57768a73b9e22956dc258605d55d6bdb51c23d520ce00c3bd87fb692f782f083d4b886e1e665499bba48ef619ab5dbde2bb405192335c5a88db964 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\Downloads\PolyRansom
| MD5 | 2fc0e096bf2f094cca883de93802abb6 |
| SHA1 | a4b51b3b4c645a8c082440a6abbc641c5d4ec986 |
| SHA256 | 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3 |
| SHA512 | 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978 |
memory/2324-403-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1904-404-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1164-414-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2324-417-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1164-429-0x0000000000400000-0x0000000000439000-memory.dmp
memory/372-442-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4760-443-0x0000000000400000-0x0000000000439000-memory.dmp
memory/372-456-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2204-466-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3436-469-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2204-481-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4652-495-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1400-496-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4652-508-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3844-516-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2764-525-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3296-524-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3296-535-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3544-543-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5068-551-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1004-552-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2856-559-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1004-563-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2004-570-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2856-574-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4884-579-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2004-583-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4884-592-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3844-601-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2332-606-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1772-610-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2332-618-0x0000000000400000-0x0000000000439000-memory.dmp
memory/428-628-0x0000000000400000-0x0000000000439000-memory.dmp
memory/572-636-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3148-641-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1232-645-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3148-654-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2368-663-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4080-668-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3544-672-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4080-680-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4836-687-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2400-691-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4836-699-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4488-704-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3324-708-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2912-714-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4488-717-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2912-727-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | d908ea8f3c5896e7004964b8ab10e152 |
| SHA1 | 583db0f47de3eb7e845327e9933c0bea2a5d556b |
| SHA256 | 550be7b1b7ad86bdebda2ecafba382f83f6e393b387ff2094b90a6f4123bad9c |
| SHA512 | cf4e0e3a9334976c1bd5c5d1cf3e8fb12455b500371acbd4b5d8b0df4e5d54201e65245fcb54465b16f19d6350691034dcdd10d10db20b83ba7200a7b14eee92 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ef8b.TMP
| MD5 | 14743916100162a89a270fabbf8baddc |
| SHA1 | 55808fb95bcfbf1c1c0a0076129986db23acb76a |
| SHA256 | 276309659efe4a70e707b10b416153f0bb9cc963d097fb97c9c987f998103c7a |
| SHA512 | eb6c13def044a89fa124447006ef94d13c29b8d83fd4f861c4a29fd25ab7df650b8d919b1e0637105c775512f3407f8f53657feed7fdebd2352103a2c755b247 |
memory/4596-742-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1256-745-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3324-750-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4596-754-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3324-763-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4488-773-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1532-772-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1532-781-0x0000000000400000-0x0000000000439000-memory.dmp
memory/736-789-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2004-790-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4164-800-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2004-801-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5100-815-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4164-819-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5c7a760754eded9b37d54699c5f5dee7 |
| SHA1 | 260583c83bbbb2145e415380d93b34dea8755f8a |
| SHA256 | 78d9c6e9ce645e6b2d9e878a5374e76eee67769748af39bd13c0b68dd9f8a065 |
| SHA512 | e9fc6b1c35c64701bbe3ac53053e0b9a62be8336d4439ccf9d4115e742a446288ca32d87bdef2e5293ca901620ead5aca082ab34d8f2fd2568cc2ac0649d1963 |
memory/5100-836-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2844-844-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2008-845-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2008-855-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3060-863-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3332-871-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2484-873-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2484-880-0x0000000000400000-0x0000000000439000-memory.dmp
memory/416-890-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4572-895-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3956-899-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3844-905-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4572-908-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5024-918-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3844-919-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5024-928-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1984-925-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1984-936-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1220-937-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4724-948-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1220-947-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4724-956-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3772-964-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3504-965-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1704-971-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3772-975-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1704-985-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4732-981-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4732-994-0x0000000000400000-0x0000000000439000-memory.dmp
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
| MD5 | 5688ac07758fb6b5eba09d2527e08875 |
| SHA1 | 532dfb64659cc56fb227035e8e78e0cda5bb6473 |
| SHA256 | b77ceeb3873cfb08d613394caaa20dbfff0f42e35320e111300e9895bfc2a4ec |
| SHA512 | d0d258aa39a8b058bb98da76c41f6c0b685a040b2cbffc1116381ded153674515e8654218d84e71827c01cf6c3578195c216c9da1c28e9fe1f3e1f9415ebe06e |
C:\Users\Admin\Downloads\wgMo.exe
| MD5 | c620d1438e4e4f74629f9591b91cb288 |
| SHA1 | 6ecbee28e06cc3bae7a47a5620da04ccea655f39 |
| SHA256 | 6944217745a1a0b71bdfb648e7c9dbd3545a516e309062f8ddc7ccdbb1dbf94b |
| SHA512 | 8acd5023c9cc4468e003ea41387b1a52a51542f4e6ba7fd16415219218e8f636066b53dec5f22f4d6b9c4263fcf33e3d1ace7bee2f8f48081aea769ed7c104fe |
C:\Users\Admin\Downloads\cIcY.exe
| MD5 | 3a36eb5f801c077d1a95cfc4efc5c3cb |
| SHA1 | b0d4008532bf32a27bf65c71a02a52019b9c9022 |
| SHA256 | 074663af6da3c4b421fc9fec0c2b50112b34556ec00aef89f8ceae9dc18b23a6 |
| SHA512 | 3b612f30b05ef676ba4ff051ca3cfab08135604309b4d81b39d55bca8961b76a03dd6643a98cacba75960737a892e56c27be232e630ff11569f160cc4695b6cd |
C:\Users\Admin\Downloads\sMsm.ico
| MD5 | 9af98ac11e0ef05c4c1b9f50e0764888 |
| SHA1 | 0b15f3f188a4d2e6daec528802f291805fad3f58 |
| SHA256 | c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62 |
| SHA512 | 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1 |
C:\Users\Admin\Downloads\Uokg.exe
| MD5 | c4bdfb8a1ef7b90867cea76980cf32e5 |
| SHA1 | 80d4dfab006174d2ebd52e8d86be859ad0cd71b8 |
| SHA256 | 5be3d37d5d28a940bdf021352ac34284cd2fd6baa270731f4cde45f536e40028 |
| SHA512 | cc806bc4a1c14130c7535481bec0904b58545316fab2e20f7a84a1b5969f86332a389fbdc78f1f2f8fdbe531986a9b92483dda1c2933033105bc326a8139d8e5 |
C:\Users\Admin\Downloads\yIMG.exe
| MD5 | 13863cd09e0e668dd7220578b6623163 |
| SHA1 | bd3c3076448ba2ecf3e1b178f4b1aa5758e2e81c |
| SHA256 | f235969d0452e458c2a97db6c4519a124ae2348dc5a560c613af1978f65654a8 |
| SHA512 | 33cdd64d48954701cfbf0cc3eef3cfcd999bbf0e09dcb8ae067d3a5960b5c8cb63920ee39024c0e7b3cf36c6364aa402511af2e7ebc00159e2f145177cfdac32 |
C:\Users\Admin\Downloads\AYQK.exe
| MD5 | 6aefa09efc2668164fde2351b66a47f3 |
| SHA1 | f352a1d9f9fb5fbe68a6996e84bdc3190d1722bc |
| SHA256 | b76edc02bcc2c8da1ee239e281e3cc55b8dbe3e62f6243d7a24789d38300efe1 |
| SHA512 | ec7bcf236012178ae3ae599564ac970745f14cb32e549bd7f4c13ec937022b1de15b404b6bee492b63bd8008f75cbd802714f4428b202fcf5b3f81e289b350bf |
C:\Users\Admin\Downloads\CwYy.exe
| MD5 | bf15b651fbee91a49300b4f4b2604560 |
| SHA1 | 1ca7748d0e2dfb6edf449aae0ccbb2e631b931ab |
| SHA256 | d5ea0b02f013f182918aaf3845b05eaace8f295a75b9f1551ca65958673caf0e |
| SHA512 | 9f13f7badee2329066d0f1f4c23be2db62a01a2368ae674450445665c808779de8a7ad45daa8ef6c5d4a29a7e738ca3970af13d2be4f0ff33e27a502de0e5796 |
C:\Users\Admin\Downloads\uEsq.exe
| MD5 | 4e1d075d83bdb1cc9df730b2bb65d893 |
| SHA1 | 0f67d2b72b24497a1895c16716f5080fc2a46477 |
| SHA256 | 34ce9d0757cdba0b95f844f6a0bbf6ccb96ec30cfa190cbd97ed63972632bdab |
| SHA512 | 7ecb613b412d5938531afb75ea9f47649fc7337782da57a5ddbce4842f61d70ce49af2b080f10291154db9a93b73b1fd680ac1ddf752d5c6d80c6da96e226678 |
C:\Users\Admin\Downloads\IQcs.exe
| MD5 | c479f18ba9390b26ca8e8af5b94cee81 |
| SHA1 | ddf20868fe4d6f8e7e680029c4048e655327c9a1 |
| SHA256 | 8cef9acf305f6bc84a350b48f50323c7734742d6f403b885b6e8cf8de158328e |
| SHA512 | 88f1b2c75bfd9e84734632ac4a955d0d6d5aff05b1ceb6dc9ea0bcc806c3cfc5d738685231f4776a50b5265e99cdabed5595a71af0b7909f5f7747a0b9263d5d |
C:\Users\Admin\Downloads\YYgc.exe
| MD5 | 5a12600134ae8869b32d31c5b4328d66 |
| SHA1 | b75b96b05f2bf9d0bd0455a5a2bc573982eef085 |
| SHA256 | e3ea94d18c10bd220b897ee84fb75cc80598465cc20da1f3467f82a5a84c3f08 |
| SHA512 | 056d9e64be181ceab058ab0338113247c778ce7bc5d7c163e86595ed13fbd8c893afff65ca3888a9caa938cecb32abbaf597c05534d15ce60c00b67ce92388b6 |
C:\Users\Admin\Downloads\aoQU.exe
| MD5 | 2bc9e7e229224635ee92dd13508080c3 |
| SHA1 | 6e1a23431717f2928270d8451cfb15bd25875d15 |
| SHA256 | 25b3a7ca3f4e450fe81e02b2ab5012a16f28c017a45ba5ae9b50fabcee6a75a3 |
| SHA512 | fd43786d97dea4a92938150e0e871f20c8615c7aef21abbf486f4ff68d9406daeeca63e3ff292ad390a9ba9b17099be4da424a2ee382cb3c9bd764563fdfd482 |
C:\Users\Admin\Downloads\MwES.exe
| MD5 | 7fa74e5fb4072b3d931f0f29a7fc7ad6 |
| SHA1 | b90eef7a16360ef3154b44fbebeca3a5f65ef9e0 |
| SHA256 | 0abc31b948177a9f010c2aca09b7abd3190aabe833517e26c26db7e87df243af |
| SHA512 | e40f388bd17eedf18365d608b905abc6801025735a40ccc9e3baee1dcfba0edf7853680e5612d444143dc6933d8adc1579ac21225dd5ae7fc34e867f0190e253 |
C:\Users\Admin\Downloads\iAsm.exe
| MD5 | 9a59b60d80d3830d602141575a5130e5 |
| SHA1 | d0cfb10614b6e886e54a2fe4ccf64c5835985511 |
| SHA256 | ba64885da0a8536f71c4d35a525eb56a828a6e9f4c9e49a2b2117d15889c985d |
| SHA512 | 2087b1bf359137c0d5fb1a3c5f146c4b89f193e573fe7861c3401c2f2a525fac50d45ae0bf6c02ab0a9507cb7bcca4ddf365e6a1f5450c26ad94b66ab93dace9 |
C:\Users\Admin\Downloads\usEU.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\Downloads\uEEE.exe
| MD5 | 67b32753391a17c0ffde3c1520df3aa3 |
| SHA1 | cbf510e18de7a2bdf9063fb4f75715d4700b518c |
| SHA256 | af26ee1693006c1d49b503bc51a7c3e256e8690f4f8242cc65e6812637ba777b |
| SHA512 | bbc7a2e4898f2b1abe6b4170d5f1a101e788e62aa3ddb9fc232aaaab0b34b7b89b8523703432f6c467247c70143ebe9d1445d438c77e78081763a54ecbda120e |
C:\Users\Admin\Downloads\EQwk.exe
| MD5 | dc6b8bef7a8fbb312aa3dfd2f316e5b2 |
| SHA1 | cbcff511a2eabd14646f9684b2d5fb642261e233 |
| SHA256 | 96098a19d6edc327086a06b14772f661671ef6c48b7021b24a94d82abc794ffa |
| SHA512 | 5210e62c1662c311f9856d1571e74fc3bba9ad861fe03daff36855f81f82a8a432e5b6ad047e2a1b4c811878e016f931a8c5e9a2f66572ec04107a50fedf3f25 |
C:\Users\Admin\Downloads\wIQG.exe
| MD5 | 13baad887627acc0a1d69545c3515ad6 |
| SHA1 | e27e4e11590649cb507cc29c90cbcc0cededaae3 |
| SHA256 | 45ebaa6da6db10a99da7188ab21696af3ca1852bc38a1eae4814d1547a655a77 |
| SHA512 | c0436a228b3eeb59cf12aaae377123c19000177d1a06760d8ad33efc15394b9994d61cadf030443e466d05bc7304c6f16e6bdb15958ded1c4110764528bd5ac2 |
C:\Users\Admin\Downloads\Gosc.exe
| MD5 | 7925356149001434da63f884653c5a45 |
| SHA1 | 2c7a44cd4bea4302ee07e94abd762b6d4cde8f50 |
| SHA256 | 7330056f491004e4360bb0a1dc8618b17b7373348f8ad56c72c9792295847c81 |
| SHA512 | b19d6e2eb5b982cd96e1eb0917177f285ca1e7be59b377acd899c9ee7ed6873709bb6292a58cc2a2e7446b78bae9732e1264442d72a96a4385fb211d0467c9c0 |
C:\Users\Admin\Downloads\EAUy.exe
| MD5 | f1bd09b0604df204afcd65cfacd220c2 |
| SHA1 | c6ab27a5f15cabf08fe607655d60614362d7dba0 |
| SHA256 | d1ce3cfd0b8455957252e47eb78220d1606bc387716eea8290d2f7ec8200200e |
| SHA512 | bf707d93405bd4a14304c6c40390b69b9099f6a1eae7800bde85659a6a34fe2fc416a5b95d7d7108922461e5d5044294b805b6940a5bb7e7a186e0d8d1b8541d |
C:\Users\Admin\Downloads\mgUK.exe
| MD5 | 79249a2ec39ebf08dff29acdab47e71d |
| SHA1 | 1e8ed6d1823996df8eb9dc387ad6d1adcec81b1d |
| SHA256 | 47994050044d16ebb6428a3b59a35b510cbe69e1ab20bebc1543baed8e702e8f |
| SHA512 | 0e9921f36092073baf0788ab8fba9672780f98fdc2b1e9b9400b39b2abd3342c9d40abea186f8be8d2a8fca2722252c54bfd4f67fc2b034de01e926034f0d2dd |
C:\Users\Admin\Downloads\IIse.exe
| MD5 | 8b81504bde41c4bb0614ddc072ec5dc2 |
| SHA1 | 8904f812bdb807ea838eef2a6e7af2b1b543f5a2 |
| SHA256 | 6206e6499f68d4e2cc7b87a04fb5ad778f2ea9672da22648a861b792a233926b |
| SHA512 | f6ec57b11127eeb2983366ebc720d010dacbc0c27c4902d517166a1420acafb304245f88a42412222c370ce71b58f6c4085b6fa1f9a86f543e2525c7eff1b3dc |
C:\Users\Admin\Downloads\iUcC.exe
| MD5 | 2365f52a07c7100a35753ccfa29287b8 |
| SHA1 | 0d163de3d50d846681b173199df53babbff52b58 |
| SHA256 | f61cdee386dd2aa7066e293def2c3732d517abbc0f7a032a54352258d642792f |
| SHA512 | 3dc3b51fcb2400eb336bb7ea8e13cae72ed91fc40f430e005b53504e9c62d6def6940a7f737eea0860c62e452229fdb334797a27fd5ca3a59ea73d1b3aa39a20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c94aeea2af7efed43350a0b77059e2c0 |
| SHA1 | ecee8e645f62b0994c1221a851e86881e13e8088 |
| SHA256 | 9bcd9144e930f1d7f085ffa2ff7270db6d2392e8c3e9301b5e7f8fa50afaee09 |
| SHA512 | 50920e6ac8cd33eeaf40a5096eef23d781fedf9e415a927a28ce2bc38600db8be4ed12630298c494c4552860b9a9493ea6a6111cd835516a4715ae96525d76b8 |
C:\Users\Admin\Downloads\QkQQ.exe
| MD5 | 576c0f2d3f52e37d8907fed4534c570e |
| SHA1 | 22cbc349f2e093f8bc3972fe42e3758d9d3adee9 |
| SHA256 | 004393f37fb9eb66bad6a4517c151ef75c1a3450ee2ed18f11f8a99409294d57 |
| SHA512 | baf55eedebf1db877bd7468272ff3e209100b6f4bc6ab12b6736f7647f8ab8586891d4f2e7fc977b6050969b8eb4e98264d82ec554e41be174ce091f1e92b557 |
C:\Users\Admin\Downloads\mwwQ.exe
| MD5 | 052ae297f85cb6b4db468e866f2056e3 |
| SHA1 | e747f49d4e7ed8f631b08ad384bec6f47d953c76 |
| SHA256 | 82e4feafb70c531640f5af1cf0ec892acb62b8e776a508eabe0fba42d66ae601 |
| SHA512 | 4aa79259c97457789da0886b0f6193f386f5a9b4bfc48d26aab01dd812306dcf79f60dc8748561433012bdd59ef48666b5ce599119185645a1ad8f728c4496d5 |
C:\Users\Admin\Downloads\YIgk.exe
| MD5 | 576ca4e4ee47247141cebc80fa2facee |
| SHA1 | ec17198802ac190c6f4b26d0d3d54bc4b4d3e005 |
| SHA256 | eec28d49a95bab61608d8b420e6be9de89ef4777b4d146a40470e5792677bc12 |
| SHA512 | 585e0c579f0fe02b5187331ba1a60fc56aa7dbf9b4d8e48d662e80454bb9cb2ee7e49c4d0d3642985816dc054d2978cbb8ddca01f45d7a4845c670972552bafd |
C:\windows.exe
| MD5 | e9e5596b42f209cc058b55edc2737a80 |
| SHA1 | f30232697b3f54e58af08421da697262c99ec48b |
| SHA256 | 9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305 |
| SHA512 | e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7 |
C:\Users\Admin\Downloads\WcEQ.exe
| MD5 | 6ac7af8df2b38847ad6087288c76221b |
| SHA1 | 3b0ec3edecf571ff025fc257fe436d1190274c0b |
| SHA256 | 7ea62d25f0bd4c2a99c5f84e054bfebf42b14bed6cc05e96a2a6e69bf4422749 |
| SHA512 | ffdc501b434730a14807c8625590b53181762537ab61a5aab8d92f86d61742699185fafe0402e1c5d85e5f3b770c6bc61d8e4dbddc15eec1137ada5a7701c2c0 |
C:\Users\Admin\Downloads\WoMo.exe
| MD5 | d9b2ccf3821a2c1a93e5d27b219ec3c5 |
| SHA1 | 4b2d6bafe7ebe8d477bfde04f560a3c63ba64966 |
| SHA256 | b45e98b1779d94826f8eb4a90de93e892ce157d991e73a779b35497490970c5b |
| SHA512 | c17bffeb1c1767e4fdaa8e4ff2b1c4cab616b548aed07941d033bfa400f4e326ec4b65e93e2155a3fdbd3171b51f6a6de9b6a285b702374f44d45283f1a1a102 |
C:\Users\Admin\Downloads\CAgc.exe
| MD5 | 4de9d18c375ce112ec36e995ae42913f |
| SHA1 | 3d1aa39743157db5a612769e39e9f30c7c5f50c1 |
| SHA256 | 4b0aceb412b8056b99324ca65b73f3b82d50652941b6b6b7e0e8d52a43942be4 |
| SHA512 | 544b700b5134e334bbe09d7d055c534143b0e99255ba2c299b92874331b62546115d54d6eb97c7d60e87731c668ed02131c55468900d6ea140bc18b9f6864896 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
| MD5 | fdb385718bd9637be95ddeb00f5926bb |
| SHA1 | 7d8eb2faaf7e1cac80ab592508997aabea55a713 |
| SHA256 | e11849f5330a0bb71e3788c08722b945d05608061dfe6294819bf06e1568760a |
| SHA512 | c2fd8d4154c027b04844c64ac85a7aa9048ab25c5dd3dc78b52dd0129ee31155b3e883eecf84b36608031266cc1190df5de7eca4dbac956a614e3c22c2e6a155 |
C:\Users\Admin\Downloads\swAu.exe
| MD5 | 251ba823ded6248fd7d330a0ec7ed2c5 |
| SHA1 | ecfb15a4b0ba4028f9ef49691394aff75b5776e0 |
| SHA256 | 25eb8fda2016236f92cb658ba6e01fd56df5a2e593e938a2f4e912c4d034b9d1 |
| SHA512 | 361936655c6702bc2507edf7e96053c64ac879e6c433b82f757b5f4a21b22bed2472c62ce31034f7b085c408dda2d99cbcd3fcd77e5b038f262c29bb9f868ee7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe
| MD5 | d74ff6762bb4fe11753a54cb2d9dfd53 |
| SHA1 | d4172dd296f5e26c188e858f0ae8b0a884b85a46 |
| SHA256 | 17a0c5aa6085dcc5b25f51c1bb0db36d4528048b98810fe8adc0201c8ffd10b4 |
| SHA512 | 889b6d3ec872b99de9492b89d6a64b20d813e6454a7fc363729ad24a514bb0b3d38e51e439338f9ac9410b5eb2277ce225fdbe7d45426922498c0287ca412650 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
| MD5 | f677c00011374e71d5d4e295d3479245 |
| SHA1 | 1ca44972c856c2cc8fd0312a976c8beb1ed104db |
| SHA256 | ef7111d98e386497be79d23e02b2d24515a4bc8e005bd71d6860c63194641806 |
| SHA512 | 292800106d23ee37ffecbc0d7c5644871cd4a4f1975d6a061836cfc321832846d6c9a3bff47b33b7d187a5fcb2c23d84095a8d40eb095a5cef4b0ece7737eb83 |
C:\Users\Admin\Downloads\wEgy.exe
| MD5 | 6981282cfb64c65b92714e573e344651 |
| SHA1 | 075b19982f77a6b694b0ee1041b77b7118c4a504 |
| SHA256 | 1b48224df5446c7a221a6627b0f870af432a96787656ebf37f7e502c8c3ca6c9 |
| SHA512 | f63d1140b70ab189a55f283db0509f98178f1b1485d3d4723415be0d58cc753ec8fa7569cbe8db6ce4fd7d9fe3b5a7f33a79a11230470f8c7b6e2580c8f9a173 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe
| MD5 | 2e2042d300cda75b1f4626d3e318c085 |
| SHA1 | 7944a3a1ae7b400b58ae3eaf65671e46fd50ad8f |
| SHA256 | 771a493cfc4192e63c660a6f2dfb5593a706af924b13636b47cd8a01176e0876 |
| SHA512 | 042207be9a83ddf054ecccbd9d2c6d94fdd09df806c7641d5350c57b3ea26dd55ee46be815359f965c79785cc47b2156c03ca64bd4287bef5f14494a8a42c467 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
| MD5 | 357f7ef153811a4342cc0c73d1c85e9c |
| SHA1 | a219e89a529f2b3ae96d553fa432cc762213be28 |
| SHA256 | e2491319afbf0bf9a7471cc388d5016c7a32bbbb1df397ac466d7388e820bfdf |
| SHA512 | 764f2866611a08fc1099a5ef45a327f573cadbb54c1cd682cfc6fd8e96451f4f64d4fc433b597cf28040fff014a670df52a36712bf610f8cff9e442c82496bac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe
| MD5 | d014dae8093ae5ad6abaac62687ff5b4 |
| SHA1 | 3e0e0274f69df3d672c65c784b9e21cc2a5c4794 |
| SHA256 | 497ef0f81234ad72841317060e8f4cbc4dda0e4bfa468a5cff90b86f96dd762c |
| SHA512 | fe1ae58a15efb46c9c66c1176ea0cc3254ec390ef9e7d5657843755a119cc499c4c7f211a5f799cb69336942a7c73b62ae2b520df762e78e08824285bac4d132 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
| MD5 | 6bd2eff30041fef2beb482523abca05a |
| SHA1 | 8ef98d724d0c6890085c62097b831cba8c80bc77 |
| SHA256 | b17b62147f513163fbc8b5aded86819a099130ba50020c9a31dc3a02e392c9b2 |
| SHA512 | 2fd9b1076f6621b5441251baafa8454b20238ee7706d33b997837da7a21bd0f8626e73509d7ae16a6f46d2e2b173484e2dd7ca4c517eecca5cbf5562a8a01ec3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
| MD5 | bf8bccfc2ec1e59387ed8def3269ee17 |
| SHA1 | b8ff4f2bc579c8b30b5c4115ea9855087184e1af |
| SHA256 | 89e3db01074837a3c7f91571d2b258ef8e8ef1d0cbc74a9014b7d2e899319266 |
| SHA512 | 8d2ed9addd9b874b454d3765ee59d48aab5beb9c333b85d04388ba214cf3de802499476f10cf1a102b3b183db0e5019e592e20e0ad76acb4e92dd2682f401a53 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
| MD5 | 2828109c43a1bef36482df5b7da75955 |
| SHA1 | 883d8ab8ad3f2fd3e0f52d4e0fdcba816f9db887 |
| SHA256 | f0a0db1793038207e71ecb57db4aac57d80ec3603c306f94a8cd5b29433c3628 |
| SHA512 | 8736d88955b21afcdf75ae2f48582a0c04ad30683ed48672eb6bdece3dbc162ec2bb1cd566908667868980b621c597fb3ba22a48966ae78f40e6ca930c5a3120 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
| MD5 | 9a958c54d58105b68d3a119579873c07 |
| SHA1 | be87adffc8b979540059c7d78fa7c939c820fb7b |
| SHA256 | ed41ee99ef1e67c9d212c97b39c8d09d847a371d55b2d58c54377274d325148e |
| SHA512 | 893633b91790b58e4b02ff32e967b9fc06d7317bb421dbccbcaa0dd2036fa954f09c9dd16012306535ae929d2714135c4687ca36fa43fc04bc0daf1cf426c396 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
| MD5 | a508cf71507f50e087ec4badd5b28a10 |
| SHA1 | 951e126b3b064a955192034db5cad374fce3d84a |
| SHA256 | f1f83b7cbb2289860a88f0814e73b1136cd586adf2c34cf90b2294352aa38811 |
| SHA512 | e48432255126ef3142f35fb9a3af49f6e8b42e6b9ba27d9f04098616f3306b48259292a4a93c06e34b09788d1355216098dc92f2f781c498d8d991e41328ae4c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
| MD5 | 80f1a1e59c72e2c57758a8f29c770381 |
| SHA1 | b0e2c3e5490aeb890cade80df2a4898b865ec127 |
| SHA256 | 6b080e42e3120a52510c664299c1ed43bdc184971ffd929fd0a68fc81e4107ea |
| SHA512 | a50cc100219b83454a8287fa5abdeefa0a9535bd28de97d789252906f20cb414e0adaf53e1e4f15f59bc77c0a1aae8177e37f23ade1a3b3c06076fee6c19ece6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
| MD5 | 7a83664648b7e2a6b6e415354519093d |
| SHA1 | 4b07c8b4fac4bfd558ff4b76479f3709a8a4d7f3 |
| SHA256 | d1e73c04da04f1244498fe2038144555695a1716bf8121ca9826ecf2febd6dc1 |
| SHA512 | ac9390b5088b2d8058ec6ef771893d96e9549283672ee9a2dc47fdae2f4041d088da576496583b871f65de58493fbaeb430285672a4f457bf058884c4c494e61 |
C:\Users\Admin\Downloads\aoEM.exe
| MD5 | f183eb1b94ad5d60a20fb90221834998 |
| SHA1 | 9ea17a02f00395b8541eaae556ea5a4557f78cff |
| SHA256 | 6bea65d3ab385d4b5561025f2d1f4ecb161c1ba5a6499eafb5df8ab44c81d61d |
| SHA512 | df7129978e11c2fe42ceadd7c918a01ae89ca36e0b53e28a150174422a212fb8f1d3f8def1a450fc03b2de2796a4d2e01f231d08371c5a88eb621ae6b0ede55f |
C:\Users\Admin\Downloads\EIQW.exe
| MD5 | c5e121e61c6f8b735b70bd57b76a96c1 |
| SHA1 | c904439b3f05f950b8abd736a8a3370219e60d1f |
| SHA256 | 9ac5bca65315935e8c237491f9789e475ede95fce9de1ad081f3af034c6ceb41 |
| SHA512 | d419fe0fd5f2de26b94a32bfc9bcd9b1c11694b9f7c0ea7e4621bae64a377d377df4b1da76db61a5289239922fc1eb59f3619a850fe54faff24a5548b03067b6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
| MD5 | 461c25dad8c6749edbfe7f4d13c16505 |
| SHA1 | 91d37b7090fa7e2f657612313f2bdd42501b7909 |
| SHA256 | 487b4491ecd0b972a4a8516f69ae90639b19e38d145a2e0f7cbc0771a871cb0a |
| SHA512 | af48296e529ae9853c4ca76281942df6aa691d9617736330b36a9dfba95520ab6b8cefd6574328c2e48b1f6adea770dc194156967848ce156b29c86ad2f74f8e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
| MD5 | bfc4850204f72c33e17124cc2b6ef04a |
| SHA1 | f33eec4127ea0b73565cecd5341f74a1c4c37b02 |
| SHA256 | ced4f8597ec28c8f2a07891972348cbeae2c0afc0bec5638c9e505cb1ba6eb6f |
| SHA512 | 925dc5027a84bcf394217d08f336401b474d9dc3b62bf1f75c60fe25523a2fdd821b8a4befafa14a50400fbcbef28bf6bf30bc307fa0b7965c2eee4c980df490 |
C:\Users\Admin\Downloads\GQUk.exe
| MD5 | 87a649d58b88c30d663b42b92ab77d1e |
| SHA1 | 40dd8b1f8d7b0bee86c704dc75904a6705a1b877 |
| SHA256 | 1ebda7cdf70a506e182d1a7efc6362864cb3065ca6cf0e787ef4f50199d1b5f6 |
| SHA512 | d862e93397811ab6449706c1a6a72873c570449f01e4d010297b604aca06a9f5d8f9bcc57d698ba134d07692518305b7c87010d90a393322cc7a6f009c65da2f |
C:\Users\Admin\Downloads\IAEE.exe
| MD5 | 5546a1b8a3af8032b41868717afd16f8 |
| SHA1 | bccff49748896d24feec4b9d41cb8db197ffa4da |
| SHA256 | 9317c53da20c816f20bd10bbe7bb84d8ef7dbf0f049a07a12a5485906a31650b |
| SHA512 | 9476e4b8f71be363fcc729170f684ebfbcdf354b02e99c03c9a1f8ca2e3fad998fbc1b458f9361222612e6319908bb2a09d4cba12de4463fa08d0e2e57bd68c5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
| MD5 | 5737767473df2ffa45e767b4f93cada8 |
| SHA1 | 569feb1762a567edae57ccacfeed8ebff7a3f65f |
| SHA256 | 13ccf26f195e5a95e6e5d0ba5ecb219615689eca608eb284ac8264a03840aa45 |
| SHA512 | f43d8d5843f8da17f001ff5e2aa9faaf588fa531a0d2c2e960d47b365dfdbae1f3f7aa0581fd8ab68992001ff574e5562b2e3ca2702b545c165220a0b9550de0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
| MD5 | 01c95044dc272819612e7eaa6406b86c |
| SHA1 | c257445b84512aa182aac90ae325a1dc25fb9b32 |
| SHA256 | 0cb53a40baeaf4313eb83f224f3687202502cc14df5990de1fe0463ce393c43e |
| SHA512 | dda54d91ba2af645c546bcdcac726a6952bfdb9318966b604a3566dc9e4061e8dc3b7700227ee151a82ecaab3a143a8465e9e1d113c9c80d3eb7159014bee171 |
C:\Users\Admin\Downloads\yUQC.exe
| MD5 | b959367ae0d885074011d2beb5b8569d |
| SHA1 | eabd808e8b0a6a91f2709bd09224c820871bfb08 |
| SHA256 | 0ba99d9820bcbeed9d38ad38fa643f992d3d493be7e585142cf9f3f0fb0052c9 |
| SHA512 | 6e29fe91e433fcd65238aae85b3bd7caa3f4bc340abaef65940afb5ea3a0fe9f899b359ab5b36d122469062a4f89f24b2065bc6b7e48676fca7cbfcf8c9dc616 |
C:\Users\Admin\Downloads\uEMy.exe
| MD5 | 2b1be6625f3ee04b8602613faf520bd3 |
| SHA1 | e7849e95682c741ba82a6f835855c0bc391ce12e |
| SHA256 | 09c1e452b183b7141842aba7f174eae4d1ca3312ea8c24becc8de3826f8b44e1 |
| SHA512 | a22cd4f509310b2286780f2c245d470de81e51ab795a68fcfc6921c3e76e9b5634d98474cf3e99a126322cfd45c87321c671ccc299ba5d0ca055fa19b7efc90d |
C:\Users\Admin\Downloads\UcYk.exe
| MD5 | 6349d5ee1ff4c5e1336e819e9230079f |
| SHA1 | 4c578bcee0565d243a2fa6914eec1e385b83dfd4 |
| SHA256 | b0aec23aa1b55f17bdb79e28683e26c90d8513d12b194987dc97b7ce47952e55 |
| SHA512 | d5d31f3aff414d3b2765974efcda1cdd4e311cf85eae2e914ea9071f71b4f70ec561b47457e5a7b1ad44f00483a7739f87b3f88a63d7639677fa9c7c0ad6f5d4 |
C:\Users\Admin\Downloads\SooM.exe
| MD5 | c5ca2356788b75877e3e16c2324ed867 |
| SHA1 | 1ccfdc9a9caca826a33c9fd2fe4c09511f0416f1 |
| SHA256 | 1343337122d6eead11dd20ad6f8818509a3697e878098fe41c64b1248b38841b |
| SHA512 | 5f45d14cb3b506410f26e3b5001043dc5e0fd94b008f9895baa6d97f9513b789e46f1474620969a7fdc1403dd2d3ca445b5ae516ba95b9208267254d9ac78d9d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
| MD5 | 733d5d7a601cdf5d40a0c806e2718637 |
| SHA1 | f080b9b1e7cac394dcdc5fcd4798e58bba460fa4 |
| SHA256 | 73c6d25476229ae15b48ad8b9f511f4adf97be2aaea54d3971b02ba9072c0444 |
| SHA512 | dfcaec22679b639a9cca2b72ad0452c8d4c32721af6a4e88803098f563fe335fccb872ff014a48eb0d1272336a06a4c11dce9505df4b3aec37d67d33a43bd0d9 |
C:\Users\Admin\Downloads\KUMo.exe
| MD5 | 16f7eb9fb43eee4e4645385823aee1d1 |
| SHA1 | 9b77ba8429e9eb1be3013aeb3422b65aca68791a |
| SHA256 | c5aec56d9db8fddacf43ffcfb46d4db2f1a3ee54b1816362c7652cd5d53a0c56 |
| SHA512 | 9c1158c0c400c9f5c5e70b218713f24bcfeaa82ac0328542f7092ab1d55d89265ccb5210bc4dcd337a1cf6c5071fdecaebd0ab5c53fc2bbe091f81c991bd3ccf |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
| MD5 | 824ff6c92060f4263b8ec7867682d295 |
| SHA1 | affd368dbd28a3e926f39664316716442cb5e91c |
| SHA256 | e901234b52d40af17395335bc49c83b6a8c40dd28872db057670efc7c0a95c0a |
| SHA512 | 24e4394ce415568f5cf7b633eb33c467868213153f1c90fefdb14259bee0ab7126b759c3f89009713ffa6f938132161b19a486a1bfcefd273adae850d10fe3f0 |
C:\Users\Admin\Downloads\wMsU.exe
| MD5 | 1b4a53b26b1895b4021d4291dc18a482 |
| SHA1 | 7049767e14f032af4559ee3a7c9fe590f04a48ef |
| SHA256 | 5495b383bbd6ada934392fc430a1b4737fa924365b864bee63e309f95c7b6774 |
| SHA512 | a6ab050e7fae644900de53a0a23eb39d19a06bcc98f21a8e7817c6b7b595ea0ea093eb11b24b275539592e9fa01699f6508b3b4eb79ac798d762eeafb56d74c6 |
C:\Users\Admin\Downloads\wYsy.exe
| MD5 | eb0b01a5ebc267f088019b735af21943 |
| SHA1 | ff50b654d968438f381b56bd3ac241e37528ce66 |
| SHA256 | b609a66823c8edf4354e5f1b99fa846b122cb3b68a2ef8493830b50979cf0c13 |
| SHA512 | ecc24eacebe62cbe21b22edee275cf90bee9bef692785978e005630e620eae05cd06da2b9f41d79e9c6182ac83eb7cf2fe1c9ae88b96ddc00914c2b726a3cb00 |
C:\Users\Admin\Downloads\YkwI.exe
| MD5 | 225171e6b81dd91c00a5efd962fb0afd |
| SHA1 | 9f328ce8c15051b44a26078be3a1bb5fe196adee |
| SHA256 | a0a4ef229e9ab42d20f0d3ce2891da80ae967cd5f806b0254bca362099949328 |
| SHA512 | 49369bf2a8236bb64e59e9a7c15fd2975730a0ff4a0835696ad3606014211c9b1e352c2e4721e258b07b343881af35bb7817cc9cab51d83b9271c77082f76dc6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | 1a13850cb20525622580b3ba21bc0f5b |
| SHA1 | 7d75d1db9f520d7124f839e3c4572076acd6bd78 |
| SHA256 | 86db53e8feb065d7e709e87164906e235f7e4c66b47a856792e0dc28283b3747 |
| SHA512 | 0fbcc9beba202b1621f656a1bf5a010d8110da9d45e273d340f899d01c46cf5b678dbb88e8440a245ce0165ad5b87abe8a04656e5f6033c20ae07ede5565be00 |
C:\Users\Admin\Downloads\MooE.exe
| MD5 | aee965a78ca2ccaa9574b21a41c560be |
| SHA1 | f2af6b4eafea16fea5835b235ec4118a6e47adf6 |
| SHA256 | 6dac6529f9ddff57d53da82ca61482db19a288218c6b1455739e52a76878c7be |
| SHA512 | 6c0d7e7be293dffedb7303555a23bed2dc19db30693a4d4852c20b6f3914481643559105edab539fc0acfe6f9e804771184df3b108894acb13f10e05900123f5 |
C:\Users\Admin\Downloads\gEQK.exe
| MD5 | fabdd7f53e87efde8f09e5d39d9dedb2 |
| SHA1 | e0b0e1cea8061e37bddce7310129a5ea7bf1c654 |
| SHA256 | a128f67f2273ecf3bf46d3bf10cf0a39b1415490e4a61e4288483117d63924ff |
| SHA512 | b5c67e8c7e110d79f06c90f6818f59c696f20cd86c759523d0d0d4bb276afd192839fff7ed2b9fca62a2c1ee312ec82bbdfe42845d7671cc5624f997484d222e |
C:\Users\Admin\Downloads\qMMI.exe
| MD5 | cc64bcbfe94822d8d41a00683e28af9c |
| SHA1 | f346d547bb554c5354b5d3cf4bacb4bf691e3513 |
| SHA256 | f9bcfdca7f524df1c0da71892ebc58422d38f61253c2f31fbfa052bac424290b |
| SHA512 | 5c70bbd69bb10f0bc6347262e2af1c797a0c4d84bef6add4e9d6cfe8368aca8c4449287ada793fe9cf715dadfcd12bfe1bc9b411067982c0275d3baf73719e57 |
C:\Users\Admin\Downloads\uIIQ.exe
| MD5 | 18e57f5acf1ddde23ad4a40bc9f7a52a |
| SHA1 | 3e15da812a7c20327a751869700f1d6856dc073b |
| SHA256 | e0c445223d2986a9c53b8f5b2b4f84ea7b13df1d771e87c740e6360946f24e64 |
| SHA512 | 050e16d13b8eceef759ea0389e352ecb6eb63271c851842a98df55e339d285f1f8463573947ffdb91be64693ea53f27406d7de3f5887fd1de9725b1540da17a9 |
C:\Users\Admin\Downloads\wUos.exe
| MD5 | b3434fa035a2b0c23ac1ef80ee73bdfa |
| SHA1 | f2dcc0daa104f274184c14395dce9500aa993d4d |
| SHA256 | 48c26c528a1ec05abcd09dbeb4abac7b4040de169a9cb5226074a94fccaa69c8 |
| SHA512 | 9e1d2bdfe5d5ed23e4c3c9b248f5cfd0ed571a54f272c476ee8169c5896c81fec954d9ab06f85cce91782ae446f4156e566c18cf4fd012d76b38720608484901 |
C:\Users\Admin\Downloads\ecoq.exe
| MD5 | b5969796ddf8fad2d9a68b5afadab6b9 |
| SHA1 | ca07f129172f53a01ef9dcfc10a49698e28dc3fa |
| SHA256 | a3e48237af6ff61b5fd9f4b72353e40846602c7c6004b3c4aa0d9cf2806f97e4 |
| SHA512 | 25e5efcb0ee8d536397decd4eb5ee8684fc7abb840948e5717ed25ce09f357d1267ffc00b49373efd9e28e708d9451941390880f64ea979ad2d56443e7c64566 |
C:\Users\Admin\Downloads\WkIc.exe
| MD5 | fce36a2aa330c292bd8fd26aa6641dda |
| SHA1 | 371800f281186ffc7ca2e601df07c936d6f4bffd |
| SHA256 | 058e6d3b40d17723f3675ee3f45a109ff46852a94f9765a2437bbd3ac1c4e5c3 |
| SHA512 | 3f9e2c46c450139f4f69b9460f874be064df5fec609a1451acb1be26d6fc5b3acc6bd0bae6eed0d640b764a4f0c61cb134e9cc098559b6034c580bbf4b968814 |
C:\Users\Admin\Downloads\WkkK.exe
| MD5 | 26cb98b692b74df73b7b3b1ac3ac34b4 |
| SHA1 | 522ed657535ae0cc07a63055e906f0f58a6b16e4 |
| SHA256 | f2495e9a1a9b251b2fd29fd97943681d8601524dd532488f0c2fb40b1b498f22 |
| SHA512 | 798b46af3c704c0a5733e09bd464257fc18727cfaadce94595841e0e06f3201bad6dc11145befa2b762fcf327d839307251c53ee7481169a0b81063ecddf3f67 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe
| MD5 | 7769ec8dbbe0fffe50c3eba8759329e4 |
| SHA1 | 615dc1eda9ffbfa6da98b078602c48221c77d01d |
| SHA256 | e83eb460755c1c74cf954841f7235c9982a25bd3086ce51bed9e59263d4dea75 |
| SHA512 | 15d3f1ea0aefbe1497a361dce119a8a0db43427d75db1dca696adb25587fd3015be922e637c6431807b62d1dff36f47f70dc44f53db8c2f283eb6b28433e6a1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e68d5bb57c47cb735e686e0386b4c6e5 |
| SHA1 | 3cad016b5dcbf1e37284e8a6e49f2ad85ffe6488 |
| SHA256 | 5fd12a87ca4c661ec0bdbbc3aae3dbf04f2e52ee9fc22f90db22e48cc0022b56 |
| SHA512 | b87af95e688ba590a7b4339b9524516e7bd3013c820a05cb9367a8ea0ebe48c8e6266aeec17d0218f4b1199ed14cc1a3e8c7cbfdb145a81d4ffd65ed37159ce1 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
| MD5 | e3271e4e03b83129f6613c40a8f724a8 |
| SHA1 | 54eead70851790c437bb5061e5a122a151e650d3 |
| SHA256 | 8bf5c6f56799ee7bb1276ecfb5f83b3aa51496f913828006ad21b14448c32e08 |
| SHA512 | c7bde0606e9c6e8be22f5b7238c765ec4222a19ad98d2333d0be02c33f7b0623a93f146b087dabe1ec7c0c62e13a3cd2846ec933557f15c95569b7389f4571e4 |
C:\Users\Admin\Downloads\usEU.exe
| MD5 | 22c3199efbc29d9ed6d5cb1e039e9080 |
| SHA1 | 94d1c224950775a8cd41011f14b656dcdaa90ef7 |
| SHA256 | 5b87389e8ee6155d79ca655c44f2b8288bf33c305fe6adbf42c7ee55229e5091 |
| SHA512 | c35278e370672c0a098d149fa94e13f89998e256f35d1e0eeb908927891539f0bef1c3ae49f7cf27a05bfc7efa94925ad02491eb0f4fa82d4e6c6bbb129987eb |
C:\Users\Admin\Downloads\WUIC.exe
| MD5 | ebf0177e6359aae5bbadecc1c6c70497 |
| SHA1 | b3d977cb977e0e503649b56567452298d210126c |
| SHA256 | d36121c7fe3568f84d08dd747d0e0b3bb0db4f3e10e1172627778a67797c91e5 |
| SHA512 | d1c28aabdd134dc71ac3fa4888d23923dcc9890caf2263a4b8ebb5a55fb5190acebb40be80542e680cb8c1b9b372bf3e3a75f0dc584b6e43dbd87ffe7f36e3cb |
C:\Users\Admin\Downloads\Yscy.exe
| MD5 | a6114425f2711361324a3dc858bb5376 |
| SHA1 | 0fd7335533a3b00871b2b75137653e144c1169cc |
| SHA256 | 3b0f03a6b76968a119df30d61c19b86aa5a67b59407e9b7cbd215c2ac072425f |
| SHA512 | cb24df0e02cffe03f78e3eb0cba7249a2cff2129dfa335834b7cbae8e00bddafb6b53431f370c4149eabdfec0427be6dd1fe797ae7f87b20cc4a0b26a228a4dd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | 024cc0d852de166348ca537597239017 |
| SHA1 | 99017e1123168774d8ecaf0a699c8a386bccce46 |
| SHA256 | ee99fe3362f2a0306f30d054e87783b8a6a4ca2cd45b49deae2bfaa574318a31 |
| SHA512 | 4b5aa38d6f3a2d6ff2ecd9db86aa9321eeacc82b22fd5a04cec1d4569023d21f96f78aed0c9a956f9a9af6fcc34112f39df9286056515dc825eedb7704a82de8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | ded69390976303fc9a2c5bcb27200d45 |
| SHA1 | eafefdcfa03a5f3594d7eabb3dabe8b3914279b4 |
| SHA256 | 706c067e787b0abc9f028a4c6ac8212aad8d3a40cecb63892af5431995bd9634 |
| SHA512 | 2ffb8f17db78dd8ef235e081334893266fdf5c2df696eb0cdef5266dade99e86fe7d76255ea8079953e3c36cf7df5af6fa0002d8e65f15c3b86b044726539d8f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
| MD5 | ac88107abd4a59cf4c3b9d53a74cb908 |
| SHA1 | 605f47742e8d6e5bf273cc079fe80939ee0f4a59 |
| SHA256 | a994bdb214e9dc3c37ecaea3a5dada3929ec48da3a38bdfc2272821f084ea9f0 |
| SHA512 | c964fd675051b5465672dee544635609943817b98036de089042c90f104c781820fc76d54b7c2710bc8eb10da8f0f89391c730037130c6e1bf8565a9762a9cd7 |
C:\Users\Admin\Downloads\UEgI.exe
| MD5 | d9d0946399500242fc59c77ef230ca38 |
| SHA1 | 2f4bda5bccf3f7a560b938cf4286c5e8c719a386 |
| SHA256 | daf393cd9deb36d5dd113e9ab51c74208c15e91259081088fc30c6ed3577a28e |
| SHA512 | 00d84cc1d55568e5b9101cb7e2384ad83def06f1f936b33f368eb2b0879a2607a50baf448162818480798d4f04ae75e5353d956340102f6b32861c6b7cbe58d0 |
C:\Users\Admin\Downloads\gsoi.exe
| MD5 | 107d365213fac43bba9fa8c9e8fb1d5b |
| SHA1 | ba52d63ec693683ae37b62a518715f2d482e9111 |
| SHA256 | 4a462ef7d2de7dba00d28b459f7c4398d64d7892d348d0b952bbb1d610897d69 |
| SHA512 | b85c657741ee000a58aa0bf26a34ad0117a00fe5d783fc0932143bc05ad0e80cc134dc1bd903125d119df26fd8060404229aa156145915e68fbf878e05d21e58 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe
| MD5 | 5e6fc0644a9040e373f3bf5dfe31bdae |
| SHA1 | 2f6cfa69181094d160ef27de8c25dbc7890f165b |
| SHA256 | bf764d3e331cd98ff4b71a32bd9163a1ffa2e6dbb022d75f9a806a8b0d2a4905 |
| SHA512 | d9f88fc280c107f65dbc052bee9ed0da37f8437fe6d8c8f49d39d9676cb276c09c6d27a963163957dbbfad13089003e5712ff2c9a8d729c10a6a5e8a9146081f |
C:\Users\Admin\Downloads\IgUi.exe
| MD5 | 62400e4f346f3d431372e8b8aa0f592d |
| SHA1 | 5b40b9cab20606fa49de215e0ee4e0642d38604f |
| SHA256 | dd487c6853e3cd373645da9d02c57802e2c4ac09b456566f96e1cd40a0bef74b |
| SHA512 | 787e4156f9a8f026b675456236ef2078a46e0d113dc81844e48daa6cdfc37873ab2c85365cb8c6349ac203c1a1ab2dc7d1566d220f2758762f9a30f87067a71d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\0Y5LKK0J\RW1dYo2[1].png.exe
| MD5 | 2c247b2f80280230d8e01aa942d87b34 |
| SHA1 | bebc90aa7f448a09f17f7759cb1fa855d4eddc3f |
| SHA256 | 760be305115663c4f24bc6624b1249af1e9cc1b0bb2b19d0929e000e59268d2f |
| SHA512 | caed71202272f355b4bc154d9a2701f91ea6aca1bb76ca40828656b62aaa9920edd66499323028d4ff62acaafbf88d2bfb248789608ff8f95ed07dff2f93c91f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\DFTDRE8U\RW1dRhL[1].png.exe
| MD5 | ad1ced106bf62fc5a6729571c932b05b |
| SHA1 | 6eccf3d0108aff317b8a242edb4df01384ab3202 |
| SHA256 | 0949d19b04e200cb4142bac4ebaa3288c3a00f9e7782ceacbcaa1eb04d054dd6 |
| SHA512 | ccf9cd4a7fffd4e3f106514239a643f40d9d35e2e9929d7bc6bd0ec2efad32f20d2d94d04c65d1548529a24afc0f3dd7f536a442fd2d478556f6eb8588079b90 |
C:\Users\Admin\Downloads\wgIG.exe
| MD5 | ad0bb30f8d952645c788fcb903866def |
| SHA1 | fbba997a594fde186f77a32399437ab2791690d4 |
| SHA256 | 4541fb194393dcb6a62a9e332a983ff07043cff37985eb179b03a5ab84b81174 |
| SHA512 | 3c6b83695fc1440bf2a74a480f617195ab71b671dacec3290e0de664c5c7b28faf6816d27ccaf520d54ceeabf659e557492d68b30bcb548db9068bc65977d58d |
C:\Users\Admin\Downloads\OMMe.exe
| MD5 | affcc9005f5d484b14e9503281da7984 |
| SHA1 | 6c006bd31d861cc3b38ebd7e2366bb8e8cfc9e28 |
| SHA256 | 4f14f20a069803113c96dd9138a94f3beea2eba2b68d03363e4c911432f42dde |
| SHA512 | 0d3220f43dd80c9a4ab949104f0758aa3f1e1dfb5cfb52094e5b5ea35e18e4e5fb59af357bfa92bfabe7ed298dfca4e35705fdfc978f24bc581f286d1a855b2d |
C:\Users\Admin\Downloads\ooMi.exe
| MD5 | 44a99d175f12215569b5b93a80ac2038 |
| SHA1 | f3e29493d8c73087300e843aba70007e7f2b237c |
| SHA256 | c269d5b9dec5a1a39799fb90e4fbf504256c72ad7b98fe60766485e350863e0f |
| SHA512 | e482f49a4dea82453b3e6b0c406e1681d6e77919d5b72c27861b4d2d6a88267382d481b52d4be5dbcc8c586d9995ede12dab003045f8651b8f4c0b233d9ae389 |
C:\Users\Admin\AppData\Roaming\NewPush.gif.exe
| MD5 | a7da94bea528bf2ebeb694da12b5bff3 |
| SHA1 | cd8946631c39061e7ff14693fe4bf7a2ebfb9e32 |
| SHA256 | 8a5f460ff4d6b7c91d94878f5c047da40a298bf8ad6c4d1fc6a2a47f460f18ba |
| SHA512 | 53ac0edbbf118bd03daffd576df7417147df1590630b616ab01e91c1ce6aa695c28053cd5994841edb5b69cc4447e7cfed8977980c2639928404bf676692a206 |
C:\Users\Admin\Downloads\gQIg.exe
| MD5 | 5214feb03cb2e2490c21d50830686473 |
| SHA1 | 27ebae8a275cd54829eff003d167406d8330279a |
| SHA256 | e999d1639d6b4e4e921fe66d070fc2748653d5e262f84394c1145921b29902c3 |
| SHA512 | 43ee61e93687de2f0c40bbfbd0bfe2f5c126c040431927a8e080635efbbf20de809a1e7920736fd51394c5b1fcffae90ce841dbcc56a20473c82ae222c034936 |
C:\Users\Admin\Downloads\KwMg.exe
| MD5 | 42f804fef4566b0c8d295a4612db60da |
| SHA1 | 891b688db198f5bbdec1818412aff1f375f0a0f5 |
| SHA256 | 33227df56350c1597ef5ad1b3c7eba27e2520735510463edfd13ff4105f47dd3 |
| SHA512 | a320cd01ee065def4b549623e1f3c19e1715b0088125756892714b309544eca81d602af332b4d8cd7539d596b33663812bd4ad33a8e6fe386ae1a3479a297084 |
C:\Users\Admin\Downloads\QYsE.ico
| MD5 | 1097d89b9f8ffe7c92f0574f4dfbda3d |
| SHA1 | b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa |
| SHA256 | 0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1 |
| SHA512 | cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507 |
C:\Users\Admin\Downloads\gkUM.exe
| MD5 | b56840aa311b1465c7033cc822982674 |
| SHA1 | 7b15bce6fdeeeb1ecc67a1a959aa5b3c79993ea1 |
| SHA256 | 7d87f36bf0dd0e023485048e8133080b69c4808e7b975b8f451bc619cfcf051b |
| SHA512 | 40f17c3cfd62017bd8f6119c33093fb81bc9b18c2950e4714317f8c8c78a571f6d6f8396917b67fb791f9fe1f391794bc5b3485b5058590dcb6d0b1338cc20f2 |
C:\Windows\SysWOW64\shell32.dll.exe
| MD5 | 77ee74284a224f97d3dcd4dd324002f8 |
| SHA1 | b3113f66d082a2d1514b3e19b413d2cae3e02fb0 |
| SHA256 | 7e585b84cde61fc26ac03e17b8fe61f867903c5da91e98c7bcccdcdfd4f91e9b |
| SHA512 | 3f5641a5221abb293669ee67fefd9357f17b348c5578bf01e8d99ce5f4a7f2e2ed5afd40a959dd6099e2190d7c158c997282700db3073878cb840a57149da9b8 |
C:\Users\Admin\Downloads\kwMy.exe
| MD5 | 3ee4e14e53547a624f15c9f05b2415aa |
| SHA1 | 3a0dd81ef4359fc3a0ce62e280a4223eaeea397b |
| SHA256 | 2960c2aee8e8533eb4023e9ec1f7f62787df29249ca971cc0918a8de4d2f47df |
| SHA512 | ed52c8bd33b213511bdf424fbc10c9e2545af0b67ddab8756e107333961d9212f4322c331cd0609e02597243f5edacb8d713e9bfcb69d50b8c0ccea4ddb634ad |
C:\Users\Admin\Downloads\SUAo.exe
| MD5 | e34190522bca9d1d460edf776e886d0e |
| SHA1 | ab156cf708d94858cf9450c7bd35c185bc2a4a51 |
| SHA256 | 93570f14b7a42cc9301c8f1cb5bb5de570796da9b77cb5c770f074c501381da5 |
| SHA512 | a3793516d3281ecc25a7dfe2235391238c443bd163ce9f29a642578f37f05a0b12534328b9f4a3c70844088337b4484f4cd1d90e52b955b0aad02b97aca6cd31 |
C:\Users\Admin\Downloads\UnregisterPublish.wma.exe
| MD5 | d96373d9956d15758f93a0ca7b07e8f8 |
| SHA1 | 4b2d95f7bbddb2048e0925327dd6976d1f4cba17 |
| SHA256 | 34fbe79f15c695ea4204d0bc1ea4400841fa0e6b7fdf7c74f2ef8e5d529b8154 |
| SHA512 | 8cdab154b99b7ab9792a0b7df20ddd20934e2cef9684d37e0aafcc95b47a73e6f872ac7d3e9e595080bbd317405cb513f7456636304356fcd663b397b0fd6b6b |
C:\Users\Admin\Pictures\SkipUnregister.gif.exe
| MD5 | b22a4af28f51d6db8c2afd5c071f9e5f |
| SHA1 | 522ded1fc99862ac262cd36aab09326dd768b11b |
| SHA256 | d38d49b43783f0250aa75273e6a20edef4bee7040456cd311729c6375d369349 |
| SHA512 | 5711db7af49f62628a7e4c66540ce8c8747983af8219566294f67048aefdaabd43292e512eaad59d188b7715654f9221f9da36ed188dcdd030c92ee193953189 |
C:\Users\Admin\Downloads\KcMq.exe
| MD5 | 7203014403e4e66e9a732dbf47bbe793 |
| SHA1 | 6233a3022279467b2fa528de6450a23fe397c3be |
| SHA256 | 6aa68c8614e7e5f87192f2c5f8f93ea660b67c88486d51d004145d343bbd894b |
| SHA512 | 3613416f2cc7dd465cf92bcb3b70483990f03de9700e12a5815f3c4aeb34728e451aee58504540301d4576dce6e213941522791a3f31aa5f109e7b088ecbc37a |
C:\Users\Admin\Pictures\UpdateReceive.png.exe
| MD5 | 8d4d595933d8f811ba950d17b80bc4f6 |
| SHA1 | 7ff76b500f776141552a85cc1504a70b6434485f |
| SHA256 | 63f557b1d6b19cfddf5419e16794a4b238fc8e15dce4e72c988b215d92ca93df |
| SHA512 | 27058c65387703c66145701a4aac6020b37e5da4d6161cc93005997b3860bb6904662c238b728523756e77df5cfb77cae0858b6b3566fa3fdcde6e580fb1a557 |
C:\Users\Admin\Downloads\SYoa.exe
| MD5 | 7bf37a29c3c24d6cef64ee6cd4864e6c |
| SHA1 | f7abdee9761e1bdfc4407cbea50388e898ebd0ec |
| SHA256 | 4a198badc920761b3dc90e9899da917a11b56ede6e8c62f1712dbe90ad2f961f |
| SHA512 | d1d78071284059deaa927893327e992eda5bad9c4ebe0ff7fc5be5604b501858547b4146e1fc60c909c61d5e7317242ee71cc5f71a5e4a39fcfef85aa2514a3a |
C:\Users\Admin\Downloads\EocK.exe
| MD5 | ad34cf6afc5287ea8a835f8e8d2dcb83 |
| SHA1 | 65a7a75840702e02f44473277c61539508569b59 |
| SHA256 | 899ea9489593d6622fb7d3389a66fc0a77f85676c2e65b47a665751f5e23b3bc |
| SHA512 | 50a4c21d75cf9a5a55a7ba4836c493e5b23968a5791d7d649179c590e3f935b594ef33aeac1329282ecbc7cad0ab1ce9dee64f69f12de568dbb957100fe38087 |
C:\Users\Admin\Downloads\isMk.exe
| MD5 | a0f93a2683b94fd24c98e6838d04dd0c |
| SHA1 | ef684f9d1dbcd58e0d5d9e76d9165c284aa414b9 |
| SHA256 | f73ae7901d49198927913b40a5208e4a65646a8c05245edb099baa067817e050 |
| SHA512 | d9b473ce6694ea7cf3b64bad9c7917c3bca69043771ab61e19b3ad6ae7c89d8f8b55fff8109f44e73f0708938269b66399fc99fa25ed83c54432afea3e16be5e |
C:\Users\Admin\Downloads\GAws.exe
| MD5 | fced9537236d2c98110b3c3bd5391482 |
| SHA1 | 3eb8290d6b10fd60d5da1d5f9f0ccc8809e32407 |
| SHA256 | e57d2306f982ac42641f5d913d83f4df848f31e4bf31cd9b08956f2021b0f6bb |
| SHA512 | f51b166b6ae41459358584236df939ec4fac73ae03b63128ddedb676b083d5ca4fdc5b11c658b598e52353c43ddbc3a560905ec470675a4e552eb24bfa6fe0ac |
C:\Users\Admin\Downloads\Ywcu.exe
| MD5 | 34b5e7987389866ebd6285542af5a143 |
| SHA1 | 1686b92435471fd69d978a3973ed525e6d97e2f4 |
| SHA256 | 5744fe6d4b258b0396528f4662b539d0bf63d2b2bef43693ef6421c5daf56672 |
| SHA512 | 875bfc9fb77887d3aadac9984192c21e137ea046e3b598775dbc0f1dba769e23dd09c003a61ab65519bdbdf1be2f178772702b85629b3c67479acdabb3b06ab6 |
C:\Users\Admin\Downloads\ywYs.exe
| MD5 | 166de49055050edfcbda6d0e061da0e2 |
| SHA1 | 3a4578f45b67fb1eddbb79d2d37aa60bd2e0096f |
| SHA256 | 558abc4e58fbe22a914ae9d8fb20430c52dafdf2b52250df514f2820e601bf62 |
| SHA512 | cafcea5886f04ac0ea104b090afdcf236fed929c4a8183f1435dc45718d48a45f59ad8a7808aa1a50f6e42993180f160d656cc89dc522a77565ab42cdae45995 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 97d0b186084b4fba094088cf3fa74d92 |
| SHA1 | 9eca9ef49d1e2b5ce6ded79c7f01c572c0a21ad4 |
| SHA256 | e4b7b18d24363eb7853270ab0d22a00468df4dd80093289aafd3e9802517dc03 |
| SHA512 | c344ac19a2a9dcefd7fe4668a530d10560e6d6681835d4be44c3ea8e06ea22c05cbf5bb9aeedc5d188b193dde408a376cdf024c6a1a0c2a86d60476c72a37c42 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e7d859170a4c395108e530848617b857 |
| SHA1 | 076d998c1c555ecae20489e8b90431d0217a67f7 |
| SHA256 | 100cd0c20974dd02faab28eaabdbd59cdf9e51e2ed4be775d5e1c9597e06e49f |
| SHA512 | ea66c19c499dc57d092469799c65836df7cd7af4b68cc32b01c9b0ae4518ccae46bce7a951a757d15009b8b0a46ed49085de25dc0aaa47bd3a73c1f24dc0de19 |