Malware Analysis Report

2024-09-23 16:11

Sample ID 240509-tn7x9aaf9s
Target qrcode_tria.ge.png
SHA256 29b0ad85d3b2aa2292848e5f0ec1f0b06d0c8cc53a7670bcd46cc4f84ebe597d
Tags
qr link defense_evasion evasion execution impact persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29b0ad85d3b2aa2292848e5f0ec1f0b06d0c8cc53a7670bcd46cc4f84ebe597d

Threat Level: Known bad

The file qrcode_tria.ge.png was found to be: Known bad.

Malicious Activity Summary

qr link defense_evasion evasion execution impact persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies Windows Defender Real-time Protection settings

UAC bypass

Renames multiple (75) files with added filename extension

Deletes shadow copies

Downloads MZ/PE file

Sets file execution options in registry

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Modifies Windows Firewall

Disables use of System Restore points

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

NTFS ADS

Uses Volume Shadow Copy service COM API

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-09 16:13

Signatures

One or more HTTP URLs in qr code identified

qr link

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 16:13

Reported

2024-05-09 16:16

Platform

win11-20240426-en

Max time kernel

142s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\qrcode_tria.ge.png

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\Downloads\RedEye.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (75) files with added filename extension

ransomware

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Downloads\RedEye.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\NetSh.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP" C:\Users\Admin\Downloads\RedEye.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe N/A
N/A N/A C:\ProgramData\nckoIowA\XewwoIoc.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwEgMQIw.exe = "C:\\Users\\Admin\\ZGsYEYkQ\\mwEgMQIw.exe" C:\Users\Admin\Downloads\PolyRansom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XewwoIoc.exe = "C:\\ProgramData\\nckoIowA\\XewwoIoc.exe" C:\Users\Admin\Downloads\PolyRansom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\mwEgMQIw.exe = "C:\\Users\\Admin\\ZGsYEYkQ\\mwEgMQIw.exe" C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XewwoIoc.exe = "C:\\ProgramData\\nckoIowA\\XewwoIoc.exe" C:\ProgramData\nckoIowA\XewwoIoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" C:\Users\Admin\Downloads\RedEye.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\RedEye.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\Downloads\RedEye.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\Downloads\RedEye.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" C:\Users\Admin\Downloads\RedEye.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Nope.txt C:\Users\Admin\Downloads\RedEye.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "203" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133597448531665100" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\RedEye.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\windows.exe\:Zone.Identifier:$DATA C:\Users\Admin\Downloads\RedEye.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\PolyRansom.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 1032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 4992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 4992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3404 wrote to memory of 2184 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Downloads\RedEye.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" C:\Users\Admin\Downloads\RedEye.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Downloads\RedEye.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\qrcode_tria.ge.png

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae599ab58,0x7ffae599ab68,0x7ffae599ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4276 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x214,0x25c,0x7ff71a3aae48,0x7ff71a3aae58,0x7ff71a3aae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff71a3aae48,0x7ff71a3aae58,0x7ff71a3aae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4652 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2604 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4620 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4540 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Users\Admin\Downloads\PolyRansom.exe

"C:\Users\Admin\Downloads\PolyRansom.exe"

C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe

"C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe"

C:\ProgramData\nckoIowA\XewwoIoc.exe

"C:\ProgramData\nckoIowA\XewwoIoc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcYMkggU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKkUAoUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmUUsgIk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MScIscsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiAUossc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pagAwgkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAgYIIws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMwEokAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQgEMoEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUIkoIAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGoIYMIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAMAgYUc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQEoEQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuUsgkAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcwkUQcc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGMQUEMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYEocYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgkkAUEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAAQkccw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCoYIUog.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PewAIIsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYQMgYME.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOEYQkgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MywoEsEc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEgYwgMM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sosEwEMM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgIAwEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWMwQwsg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zycMEAcY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKsUEcQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IukgcYIk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goUsEcUg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waokssww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCYQYcws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGwYkIMU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkwYYIUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peoEMQkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AssIEoEw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csYQEgQQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssAEQkEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYYswAMs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGAoUkgk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUYgUwYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsEMEMMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKooUUwI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmYoMYoM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAokMscU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iigMYYUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAAooIEg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paYYkMwA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOcIwscc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgcsYgok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCIEEQEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qscQgcAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEkIwMsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaEwsQUI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmMkgQUg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSoYMgEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3392 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSosgQss.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swYEQYcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KakkYswo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeYkkgcg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIscUIYk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMkEwQkg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuAEQEsM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgwswMwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkMsEAIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOosYwoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oagUgIoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=1552,i,2208045026530063604,13066518596568201045,131072 /prefetch:8

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkAkgAwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUgscUEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwcokQEs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEsAsEcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkgwYMgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsgEsEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcEEUowU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\Downloads\RedEye.exe

"C:\Users\Admin\Downloads\RedEye.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOAQssIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwsgcwIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIcIIkQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAUkcEMY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQMEYsEM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fygkAsAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMMYMUwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOEQYokI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"

C:\Users\Admin\Downloads\PolyRansom.exe

C:\Users\Admin\Downloads\PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGsAoEYM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SYSTEM32\NetSh.exe

NetSh Advfirewall set allprofiles state off

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\RedEye.exe

"C:\Users\Admin\Downloads\RedEye.exe"

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" -r -t 00 -f

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3826855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.187.206:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
GB 142.250.187.206:443 play.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
BO 200.87.164.69:9999 tcp
GB 142.250.200.14:80 google.com tcp
GB 142.250.200.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.35:443 beacons.gcp.gvt2.com tcp
GB 172.217.16.238:443 consent.google.com udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
N/A 127.0.0.1:51315 tcp

Files

\??\pipe\crashpad_3404_XXQOAHVUJDQVTGRU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 0661633932261d77c4754fc769f2b536
SHA1 d69b5a030c4f7ea726a3ed1a2ec364d6b58acf98
SHA256 f9105b8b4505ea96b06aa5ff68f48b1b780792fd5d66fa52d32accb676e7aa86
SHA512 03298bcb357f9546bb32e96defa02932c602676f7fd12f37a76f209eb62c2228954d8dbe7b42e66ff9983cc2c0855ce50fb8c427444766648666528f9e655062

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1d5f70a872fdf78abac29bc0cfd7997f
SHA1 234244c36df679b8970fa48df8a6c8f570f3967d
SHA256 5cd5b1201f50c8fc2cf73cfe11f804ad5f55d9a4521a824ac9753a4292536bf7
SHA512 328f38732568970a606db5b4b9229c77deda1dd23ab51a752ead6e43c48c99ac00cddecb7909f2fd3a497ec003e47d89187d21f094979d2bd1daef2f0c83f04f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 da04118d12569223063e1ff048f64a45
SHA1 bdb4b19470c38e508856c463c8d9bae080c250e5
SHA256 1ceb8ab8edfdee9aea4d2cd1b13e8a695f24fb3ff9faeb0bfd3cf8758bbdd8fb
SHA512 9786e2ab43a1d0fb8f254c003644f224b1f56bb0517543ce7646a283025357b779021c1711ee8e958283c9953242ae2318feff681ecda39ba5b8078d18960a28

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 0efe800111205678762f4ea54fab0959
SHA1 c20a675ff21757b585796c512ad8078da569cd44
SHA256 79f3bbd05cbbd7cffa2cd5ef2018bfe4c55d9d0ed174042b01f37d845026c054
SHA512 3dbaad8a95a334a95bd30d4f6f3d7a7e8913eecabcc49d19cd858fc188036a2f2694ebd7019c601c351939276a2828feb3ac7d3f72abd29a6a993d54bb054fb2

C:\Windows\TEMP\Crashpad\settings.dat

MD5 7456235c901a796fbcda597c24898e9e
SHA1 1d6a9e5fd69e1b88ea1def2b6d2a43f0f13bc222
SHA256 b1c7f2f6666930e89726a9a0c2f720c866df5075af3f89c9a8ff3674d79d9ada
SHA512 67d083634583a960be6e7f85a1b061af2b53fa1c8fb48a5631e78c0b7eb2628301809038d8509a986620b1928a5f4ae509d6e4f22d188a836e02d2e6928d8fc8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fd5f146ade9734413bc4f60bd3a3ddb5
SHA1 700930827abe836656196f1aaf9de24621f20301
SHA256 95bcfbb5e242f22ba2ee8c3567637203a271f4ad23d93a70523ed692429a1631
SHA512 7413bafbf3d85acf081e8c591326dc0739d842387e05b555568f9fb89f09cdda1625bf3c9e0dd12d1b8467a61c9c7e4767b9d33df313bf6b4d60cca7fed2cc1a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 61b2978ddb88dc642454eb5dbcfb3c10
SHA1 ac23b47b9a37804117b569898f17374d5197abed
SHA256 734ec0238204addc974d7bcd2735bc8d6b043ae24dc48303cf49a34f047441b7
SHA512 23128ebb017a2628cf77dc684719ee3f447197a4b7c954fabfb0730f515e4a878e0d7a412d2952582593bc5ddd4ff38e51708f1d9d42a1e522147d39a397c94d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 03e8e346263a595989e27fe5b3cf8f12
SHA1 6e86686367ae66915460d4e1d7332fd5c55ad83a
SHA256 695dd0858c26b8a827ee64533135593a2d44a1f2501453a0c319252925af4fc4
SHA512 ee4e243999ac43326a1740626f21775582c45829c66c6ba21737c4466dd548b32630db606c5980b051d83f71c6733127ee8b036858e90c2325c81cf5df7a57f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b61a266fd172f16753caf8bce23648bd
SHA1 484d38c6e8312c55e4191398799ac775fa814f70
SHA256 8ba902417e259e5f050bf74587e389411e6eb3707d31e3dc87861b0385392e5e
SHA512 8593bf2ecc04e549fee6ee3b1dd31ce9c21ea59f4a361f43c4a4c0e98189f43b54f469d8ec4c1bcdea56831251a66b391bf7afacda301348b29c81932fb3559f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 484beec07ce782286d1b48d0595400a7
SHA1 eb309492de93882cd59a604a545a4f8ba5b444a0
SHA256 50194575d8130d8324d0cc567dc7d6a8d36036b57c740ff34b4da8e14379b4c5
SHA512 38011779c25eecccd9f48f262c42a62ab92c6cb57d51c321a98f5210a3f92aec9ad930d3083580a86b11e69fa83a54e12815fb21add671accfca0e4fe8005d99

C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier

MD5 7689f7bff089c1cb90c9ddb054eebab5
SHA1 899fc099b5055428cccbf439f804bf35abc5d4f0
SHA256 7600d79cc7a524308380939fee0ab6ffde2d01f3812e02b343dc13634d726e1c
SHA512 2bad3c3ad2bf1a771ec323ed6b20166f1a06487690bb1469d5b8a64daef01b1a993ad9ff91d7c3c0197f1ed224e5b48e1021984fd9a26ba3b60ca60f46df19c4

C:\Users\Admin\Downloads\PolyRansom.exe

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3988a01d6f3557cb779656fd9f625348
SHA1 1b7f316536e94f4cf12a27eef20be629ed55c293
SHA256 f0825165fdbadd3c07d738e1e2f92f060ad3e5ee02f2f8a0e06138a528a20e74
SHA512 c1fe94d25f29e831f24c014bdcc2cda7693f787c46b7c9c039e17a16e66e390a4e4bfe9e0e2b8c4b0a3b0f759f2ceedab8ed19ef806a073fcb99289bc8cc02cc

memory/4700-355-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1c4645d5400a2b5ed5f3499d9a91f3df
SHA1 85fbc48b58b6f435449bd1f4f723d9abe5e28867
SHA256 ff25cabd8a9f9c2febc4ad17215a692fc23378c68574210699df78f2a6c0888c
SHA512 384ca7ec352204961ba8a79f7a02c97cb1020ce33cdccb66ef489fd867760936719fefe85c129f20ddf7c3cd1e107c95ca61f37677a48befd5f7e5f36b263f29

memory/4400-374-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2136-373-0x0000000000400000-0x000000000042F000-memory.dmp

C:\ProgramData\nckoIowA\XewwoIoc.exe

MD5 a716940337f91117767d0670cc03a256
SHA1 8b8ed6ec87b2c5d35449234f16c09ead820ff062
SHA256 21ddb903bc94456fe838a3269f8be08a2e55fcc3e75aeec860bb3677ea9fd5c6
SHA512 973dbbcf5b9ec596294270330127cf697f228327d3a044f4bf02ad8615a279eb9d6e703362e2d74e54c76509fa4d40308efe7189e1f82ac00e000736307c6bc2

C:\Users\Admin\ZGsYEYkQ\mwEgMQIw.exe

MD5 e46c8a740f5c4e3dae6968101849fc6c
SHA1 8109390709879c467b5a5e65ed9201779252240b
SHA256 cc6f2f17f408649af9814b0330319efad5aec04dc280b0db269788707d7b3100
SHA512 dab472ed3cac9030b0f18978f458d1fb908b64314a23a0303b97844a9dcdd9ff89bb529723b013bac1fe0667845dec1caf41d89910c8b09832fbc7d7d76eb1db

memory/4700-380-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RcYMkggU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ca2f6432583f2e70609d1e19f5dce491
SHA1 2f555ba65563df7df7691ae4f70d4e4ab538896d
SHA256 a9574c2a623b6ef67b670f256629112d298426e677cb6ac393df1e79d689eeb3
SHA512 657bd7b3af57768a73b9e22956dc258605d55d6bdb51c23d520ce00c3bd87fb692f782f083d4b886e1e665499bba48ef619ab5dbde2bb405192335c5a88db964

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\Downloads\PolyRansom

MD5 2fc0e096bf2f094cca883de93802abb6
SHA1 a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA256 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA512 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

memory/2324-403-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1904-404-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1164-414-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2324-417-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1164-429-0x0000000000400000-0x0000000000439000-memory.dmp

memory/372-442-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4760-443-0x0000000000400000-0x0000000000439000-memory.dmp

memory/372-456-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2204-466-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3436-469-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2204-481-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4652-495-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1400-496-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4652-508-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3844-516-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2764-525-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3296-524-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3296-535-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3544-543-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5068-551-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1004-552-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2856-559-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1004-563-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2004-570-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2856-574-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4884-579-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2004-583-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4884-592-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3844-601-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2332-606-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1772-610-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2332-618-0x0000000000400000-0x0000000000439000-memory.dmp

memory/428-628-0x0000000000400000-0x0000000000439000-memory.dmp

memory/572-636-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3148-641-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1232-645-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3148-654-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2368-663-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4080-668-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3544-672-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4080-680-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4836-687-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2400-691-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4836-699-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4488-704-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3324-708-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2912-714-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4488-717-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2912-727-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 d908ea8f3c5896e7004964b8ab10e152
SHA1 583db0f47de3eb7e845327e9933c0bea2a5d556b
SHA256 550be7b1b7ad86bdebda2ecafba382f83f6e393b387ff2094b90a6f4123bad9c
SHA512 cf4e0e3a9334976c1bd5c5d1cf3e8fb12455b500371acbd4b5d8b0df4e5d54201e65245fcb54465b16f19d6350691034dcdd10d10db20b83ba7200a7b14eee92

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ef8b.TMP

MD5 14743916100162a89a270fabbf8baddc
SHA1 55808fb95bcfbf1c1c0a0076129986db23acb76a
SHA256 276309659efe4a70e707b10b416153f0bb9cc963d097fb97c9c987f998103c7a
SHA512 eb6c13def044a89fa124447006ef94d13c29b8d83fd4f861c4a29fd25ab7df650b8d919b1e0637105c775512f3407f8f53657feed7fdebd2352103a2c755b247

memory/4596-742-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1256-745-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3324-750-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4596-754-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3324-763-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4488-773-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1532-772-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1532-781-0x0000000000400000-0x0000000000439000-memory.dmp

memory/736-789-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2004-790-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4164-800-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2004-801-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5100-815-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4164-819-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5c7a760754eded9b37d54699c5f5dee7
SHA1 260583c83bbbb2145e415380d93b34dea8755f8a
SHA256 78d9c6e9ce645e6b2d9e878a5374e76eee67769748af39bd13c0b68dd9f8a065
SHA512 e9fc6b1c35c64701bbe3ac53053e0b9a62be8336d4439ccf9d4115e742a446288ca32d87bdef2e5293ca901620ead5aca082ab34d8f2fd2568cc2ac0649d1963

memory/5100-836-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2844-844-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2008-845-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2008-855-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3060-863-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3332-871-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2484-873-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2484-880-0x0000000000400000-0x0000000000439000-memory.dmp

memory/416-890-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4572-895-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3956-899-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3844-905-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4572-908-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5024-918-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3844-919-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5024-928-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1984-925-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1984-936-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1220-937-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4724-948-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1220-947-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4724-956-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3772-964-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3504-965-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1704-971-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3772-975-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1704-985-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4732-981-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4732-994-0x0000000000400000-0x0000000000439000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 5688ac07758fb6b5eba09d2527e08875
SHA1 532dfb64659cc56fb227035e8e78e0cda5bb6473
SHA256 b77ceeb3873cfb08d613394caaa20dbfff0f42e35320e111300e9895bfc2a4ec
SHA512 d0d258aa39a8b058bb98da76c41f6c0b685a040b2cbffc1116381ded153674515e8654218d84e71827c01cf6c3578195c216c9da1c28e9fe1f3e1f9415ebe06e

C:\Users\Admin\Downloads\wgMo.exe

MD5 c620d1438e4e4f74629f9591b91cb288
SHA1 6ecbee28e06cc3bae7a47a5620da04ccea655f39
SHA256 6944217745a1a0b71bdfb648e7c9dbd3545a516e309062f8ddc7ccdbb1dbf94b
SHA512 8acd5023c9cc4468e003ea41387b1a52a51542f4e6ba7fd16415219218e8f636066b53dec5f22f4d6b9c4263fcf33e3d1ace7bee2f8f48081aea769ed7c104fe

C:\Users\Admin\Downloads\cIcY.exe

MD5 3a36eb5f801c077d1a95cfc4efc5c3cb
SHA1 b0d4008532bf32a27bf65c71a02a52019b9c9022
SHA256 074663af6da3c4b421fc9fec0c2b50112b34556ec00aef89f8ceae9dc18b23a6
SHA512 3b612f30b05ef676ba4ff051ca3cfab08135604309b4d81b39d55bca8961b76a03dd6643a98cacba75960737a892e56c27be232e630ff11569f160cc4695b6cd

C:\Users\Admin\Downloads\sMsm.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\Downloads\Uokg.exe

MD5 c4bdfb8a1ef7b90867cea76980cf32e5
SHA1 80d4dfab006174d2ebd52e8d86be859ad0cd71b8
SHA256 5be3d37d5d28a940bdf021352ac34284cd2fd6baa270731f4cde45f536e40028
SHA512 cc806bc4a1c14130c7535481bec0904b58545316fab2e20f7a84a1b5969f86332a389fbdc78f1f2f8fdbe531986a9b92483dda1c2933033105bc326a8139d8e5

C:\Users\Admin\Downloads\yIMG.exe

MD5 13863cd09e0e668dd7220578b6623163
SHA1 bd3c3076448ba2ecf3e1b178f4b1aa5758e2e81c
SHA256 f235969d0452e458c2a97db6c4519a124ae2348dc5a560c613af1978f65654a8
SHA512 33cdd64d48954701cfbf0cc3eef3cfcd999bbf0e09dcb8ae067d3a5960b5c8cb63920ee39024c0e7b3cf36c6364aa402511af2e7ebc00159e2f145177cfdac32

C:\Users\Admin\Downloads\AYQK.exe

MD5 6aefa09efc2668164fde2351b66a47f3
SHA1 f352a1d9f9fb5fbe68a6996e84bdc3190d1722bc
SHA256 b76edc02bcc2c8da1ee239e281e3cc55b8dbe3e62f6243d7a24789d38300efe1
SHA512 ec7bcf236012178ae3ae599564ac970745f14cb32e549bd7f4c13ec937022b1de15b404b6bee492b63bd8008f75cbd802714f4428b202fcf5b3f81e289b350bf

C:\Users\Admin\Downloads\CwYy.exe

MD5 bf15b651fbee91a49300b4f4b2604560
SHA1 1ca7748d0e2dfb6edf449aae0ccbb2e631b931ab
SHA256 d5ea0b02f013f182918aaf3845b05eaace8f295a75b9f1551ca65958673caf0e
SHA512 9f13f7badee2329066d0f1f4c23be2db62a01a2368ae674450445665c808779de8a7ad45daa8ef6c5d4a29a7e738ca3970af13d2be4f0ff33e27a502de0e5796

C:\Users\Admin\Downloads\uEsq.exe

MD5 4e1d075d83bdb1cc9df730b2bb65d893
SHA1 0f67d2b72b24497a1895c16716f5080fc2a46477
SHA256 34ce9d0757cdba0b95f844f6a0bbf6ccb96ec30cfa190cbd97ed63972632bdab
SHA512 7ecb613b412d5938531afb75ea9f47649fc7337782da57a5ddbce4842f61d70ce49af2b080f10291154db9a93b73b1fd680ac1ddf752d5c6d80c6da96e226678

C:\Users\Admin\Downloads\IQcs.exe

MD5 c479f18ba9390b26ca8e8af5b94cee81
SHA1 ddf20868fe4d6f8e7e680029c4048e655327c9a1
SHA256 8cef9acf305f6bc84a350b48f50323c7734742d6f403b885b6e8cf8de158328e
SHA512 88f1b2c75bfd9e84734632ac4a955d0d6d5aff05b1ceb6dc9ea0bcc806c3cfc5d738685231f4776a50b5265e99cdabed5595a71af0b7909f5f7747a0b9263d5d

C:\Users\Admin\Downloads\YYgc.exe

MD5 5a12600134ae8869b32d31c5b4328d66
SHA1 b75b96b05f2bf9d0bd0455a5a2bc573982eef085
SHA256 e3ea94d18c10bd220b897ee84fb75cc80598465cc20da1f3467f82a5a84c3f08
SHA512 056d9e64be181ceab058ab0338113247c778ce7bc5d7c163e86595ed13fbd8c893afff65ca3888a9caa938cecb32abbaf597c05534d15ce60c00b67ce92388b6

C:\Users\Admin\Downloads\aoQU.exe

MD5 2bc9e7e229224635ee92dd13508080c3
SHA1 6e1a23431717f2928270d8451cfb15bd25875d15
SHA256 25b3a7ca3f4e450fe81e02b2ab5012a16f28c017a45ba5ae9b50fabcee6a75a3
SHA512 fd43786d97dea4a92938150e0e871f20c8615c7aef21abbf486f4ff68d9406daeeca63e3ff292ad390a9ba9b17099be4da424a2ee382cb3c9bd764563fdfd482

C:\Users\Admin\Downloads\MwES.exe

MD5 7fa74e5fb4072b3d931f0f29a7fc7ad6
SHA1 b90eef7a16360ef3154b44fbebeca3a5f65ef9e0
SHA256 0abc31b948177a9f010c2aca09b7abd3190aabe833517e26c26db7e87df243af
SHA512 e40f388bd17eedf18365d608b905abc6801025735a40ccc9e3baee1dcfba0edf7853680e5612d444143dc6933d8adc1579ac21225dd5ae7fc34e867f0190e253

C:\Users\Admin\Downloads\iAsm.exe

MD5 9a59b60d80d3830d602141575a5130e5
SHA1 d0cfb10614b6e886e54a2fe4ccf64c5835985511
SHA256 ba64885da0a8536f71c4d35a525eb56a828a6e9f4c9e49a2b2117d15889c985d
SHA512 2087b1bf359137c0d5fb1a3c5f146c4b89f193e573fe7861c3401c2f2a525fac50d45ae0bf6c02ab0a9507cb7bcca4ddf365e6a1f5450c26ad94b66ab93dace9

C:\Users\Admin\Downloads\usEU.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\Downloads\uEEE.exe

MD5 67b32753391a17c0ffde3c1520df3aa3
SHA1 cbf510e18de7a2bdf9063fb4f75715d4700b518c
SHA256 af26ee1693006c1d49b503bc51a7c3e256e8690f4f8242cc65e6812637ba777b
SHA512 bbc7a2e4898f2b1abe6b4170d5f1a101e788e62aa3ddb9fc232aaaab0b34b7b89b8523703432f6c467247c70143ebe9d1445d438c77e78081763a54ecbda120e

C:\Users\Admin\Downloads\EQwk.exe

MD5 dc6b8bef7a8fbb312aa3dfd2f316e5b2
SHA1 cbcff511a2eabd14646f9684b2d5fb642261e233
SHA256 96098a19d6edc327086a06b14772f661671ef6c48b7021b24a94d82abc794ffa
SHA512 5210e62c1662c311f9856d1571e74fc3bba9ad861fe03daff36855f81f82a8a432e5b6ad047e2a1b4c811878e016f931a8c5e9a2f66572ec04107a50fedf3f25

C:\Users\Admin\Downloads\wIQG.exe

MD5 13baad887627acc0a1d69545c3515ad6
SHA1 e27e4e11590649cb507cc29c90cbcc0cededaae3
SHA256 45ebaa6da6db10a99da7188ab21696af3ca1852bc38a1eae4814d1547a655a77
SHA512 c0436a228b3eeb59cf12aaae377123c19000177d1a06760d8ad33efc15394b9994d61cadf030443e466d05bc7304c6f16e6bdb15958ded1c4110764528bd5ac2

C:\Users\Admin\Downloads\Gosc.exe

MD5 7925356149001434da63f884653c5a45
SHA1 2c7a44cd4bea4302ee07e94abd762b6d4cde8f50
SHA256 7330056f491004e4360bb0a1dc8618b17b7373348f8ad56c72c9792295847c81
SHA512 b19d6e2eb5b982cd96e1eb0917177f285ca1e7be59b377acd899c9ee7ed6873709bb6292a58cc2a2e7446b78bae9732e1264442d72a96a4385fb211d0467c9c0

C:\Users\Admin\Downloads\EAUy.exe

MD5 f1bd09b0604df204afcd65cfacd220c2
SHA1 c6ab27a5f15cabf08fe607655d60614362d7dba0
SHA256 d1ce3cfd0b8455957252e47eb78220d1606bc387716eea8290d2f7ec8200200e
SHA512 bf707d93405bd4a14304c6c40390b69b9099f6a1eae7800bde85659a6a34fe2fc416a5b95d7d7108922461e5d5044294b805b6940a5bb7e7a186e0d8d1b8541d

C:\Users\Admin\Downloads\mgUK.exe

MD5 79249a2ec39ebf08dff29acdab47e71d
SHA1 1e8ed6d1823996df8eb9dc387ad6d1adcec81b1d
SHA256 47994050044d16ebb6428a3b59a35b510cbe69e1ab20bebc1543baed8e702e8f
SHA512 0e9921f36092073baf0788ab8fba9672780f98fdc2b1e9b9400b39b2abd3342c9d40abea186f8be8d2a8fca2722252c54bfd4f67fc2b034de01e926034f0d2dd

C:\Users\Admin\Downloads\IIse.exe

MD5 8b81504bde41c4bb0614ddc072ec5dc2
SHA1 8904f812bdb807ea838eef2a6e7af2b1b543f5a2
SHA256 6206e6499f68d4e2cc7b87a04fb5ad778f2ea9672da22648a861b792a233926b
SHA512 f6ec57b11127eeb2983366ebc720d010dacbc0c27c4902d517166a1420acafb304245f88a42412222c370ce71b58f6c4085b6fa1f9a86f543e2525c7eff1b3dc

C:\Users\Admin\Downloads\iUcC.exe

MD5 2365f52a07c7100a35753ccfa29287b8
SHA1 0d163de3d50d846681b173199df53babbff52b58
SHA256 f61cdee386dd2aa7066e293def2c3732d517abbc0f7a032a54352258d642792f
SHA512 3dc3b51fcb2400eb336bb7ea8e13cae72ed91fc40f430e005b53504e9c62d6def6940a7f737eea0860c62e452229fdb334797a27fd5ca3a59ea73d1b3aa39a20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c94aeea2af7efed43350a0b77059e2c0
SHA1 ecee8e645f62b0994c1221a851e86881e13e8088
SHA256 9bcd9144e930f1d7f085ffa2ff7270db6d2392e8c3e9301b5e7f8fa50afaee09
SHA512 50920e6ac8cd33eeaf40a5096eef23d781fedf9e415a927a28ce2bc38600db8be4ed12630298c494c4552860b9a9493ea6a6111cd835516a4715ae96525d76b8

C:\Users\Admin\Downloads\QkQQ.exe

MD5 576c0f2d3f52e37d8907fed4534c570e
SHA1 22cbc349f2e093f8bc3972fe42e3758d9d3adee9
SHA256 004393f37fb9eb66bad6a4517c151ef75c1a3450ee2ed18f11f8a99409294d57
SHA512 baf55eedebf1db877bd7468272ff3e209100b6f4bc6ab12b6736f7647f8ab8586891d4f2e7fc977b6050969b8eb4e98264d82ec554e41be174ce091f1e92b557

C:\Users\Admin\Downloads\mwwQ.exe

MD5 052ae297f85cb6b4db468e866f2056e3
SHA1 e747f49d4e7ed8f631b08ad384bec6f47d953c76
SHA256 82e4feafb70c531640f5af1cf0ec892acb62b8e776a508eabe0fba42d66ae601
SHA512 4aa79259c97457789da0886b0f6193f386f5a9b4bfc48d26aab01dd812306dcf79f60dc8748561433012bdd59ef48666b5ce599119185645a1ad8f728c4496d5

C:\Users\Admin\Downloads\YIgk.exe

MD5 576ca4e4ee47247141cebc80fa2facee
SHA1 ec17198802ac190c6f4b26d0d3d54bc4b4d3e005
SHA256 eec28d49a95bab61608d8b420e6be9de89ef4777b4d146a40470e5792677bc12
SHA512 585e0c579f0fe02b5187331ba1a60fc56aa7dbf9b4d8e48d662e80454bb9cb2ee7e49c4d0d3642985816dc054d2978cbb8ddca01f45d7a4845c670972552bafd

C:\windows.exe

MD5 e9e5596b42f209cc058b55edc2737a80
SHA1 f30232697b3f54e58af08421da697262c99ec48b
SHA256 9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
SHA512 e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7

C:\Users\Admin\Downloads\WcEQ.exe

MD5 6ac7af8df2b38847ad6087288c76221b
SHA1 3b0ec3edecf571ff025fc257fe436d1190274c0b
SHA256 7ea62d25f0bd4c2a99c5f84e054bfebf42b14bed6cc05e96a2a6e69bf4422749
SHA512 ffdc501b434730a14807c8625590b53181762537ab61a5aab8d92f86d61742699185fafe0402e1c5d85e5f3b770c6bc61d8e4dbddc15eec1137ada5a7701c2c0

C:\Users\Admin\Downloads\WoMo.exe

MD5 d9b2ccf3821a2c1a93e5d27b219ec3c5
SHA1 4b2d6bafe7ebe8d477bfde04f560a3c63ba64966
SHA256 b45e98b1779d94826f8eb4a90de93e892ce157d991e73a779b35497490970c5b
SHA512 c17bffeb1c1767e4fdaa8e4ff2b1c4cab616b548aed07941d033bfa400f4e326ec4b65e93e2155a3fdbd3171b51f6a6de9b6a285b702374f44d45283f1a1a102

C:\Users\Admin\Downloads\CAgc.exe

MD5 4de9d18c375ce112ec36e995ae42913f
SHA1 3d1aa39743157db5a612769e39e9f30c7c5f50c1
SHA256 4b0aceb412b8056b99324ca65b73f3b82d50652941b6b6b7e0e8d52a43942be4
SHA512 544b700b5134e334bbe09d7d055c534143b0e99255ba2c299b92874331b62546115d54d6eb97c7d60e87731c668ed02131c55468900d6ea140bc18b9f6864896

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 fdb385718bd9637be95ddeb00f5926bb
SHA1 7d8eb2faaf7e1cac80ab592508997aabea55a713
SHA256 e11849f5330a0bb71e3788c08722b945d05608061dfe6294819bf06e1568760a
SHA512 c2fd8d4154c027b04844c64ac85a7aa9048ab25c5dd3dc78b52dd0129ee31155b3e883eecf84b36608031266cc1190df5de7eca4dbac956a614e3c22c2e6a155

C:\Users\Admin\Downloads\swAu.exe

MD5 251ba823ded6248fd7d330a0ec7ed2c5
SHA1 ecfb15a4b0ba4028f9ef49691394aff75b5776e0
SHA256 25eb8fda2016236f92cb658ba6e01fd56df5a2e593e938a2f4e912c4d034b9d1
SHA512 361936655c6702bc2507edf7e96053c64ac879e6c433b82f757b5f4a21b22bed2472c62ce31034f7b085c408dda2d99cbcd3fcd77e5b038f262c29bb9f868ee7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 d74ff6762bb4fe11753a54cb2d9dfd53
SHA1 d4172dd296f5e26c188e858f0ae8b0a884b85a46
SHA256 17a0c5aa6085dcc5b25f51c1bb0db36d4528048b98810fe8adc0201c8ffd10b4
SHA512 889b6d3ec872b99de9492b89d6a64b20d813e6454a7fc363729ad24a514bb0b3d38e51e439338f9ac9410b5eb2277ce225fdbe7d45426922498c0287ca412650

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 f677c00011374e71d5d4e295d3479245
SHA1 1ca44972c856c2cc8fd0312a976c8beb1ed104db
SHA256 ef7111d98e386497be79d23e02b2d24515a4bc8e005bd71d6860c63194641806
SHA512 292800106d23ee37ffecbc0d7c5644871cd4a4f1975d6a061836cfc321832846d6c9a3bff47b33b7d187a5fcb2c23d84095a8d40eb095a5cef4b0ece7737eb83

C:\Users\Admin\Downloads\wEgy.exe

MD5 6981282cfb64c65b92714e573e344651
SHA1 075b19982f77a6b694b0ee1041b77b7118c4a504
SHA256 1b48224df5446c7a221a6627b0f870af432a96787656ebf37f7e502c8c3ca6c9
SHA512 f63d1140b70ab189a55f283db0509f98178f1b1485d3d4723415be0d58cc753ec8fa7569cbe8db6ce4fd7d9fe3b5a7f33a79a11230470f8c7b6e2580c8f9a173

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 2e2042d300cda75b1f4626d3e318c085
SHA1 7944a3a1ae7b400b58ae3eaf65671e46fd50ad8f
SHA256 771a493cfc4192e63c660a6f2dfb5593a706af924b13636b47cd8a01176e0876
SHA512 042207be9a83ddf054ecccbd9d2c6d94fdd09df806c7641d5350c57b3ea26dd55ee46be815359f965c79785cc47b2156c03ca64bd4287bef5f14494a8a42c467

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 357f7ef153811a4342cc0c73d1c85e9c
SHA1 a219e89a529f2b3ae96d553fa432cc762213be28
SHA256 e2491319afbf0bf9a7471cc388d5016c7a32bbbb1df397ac466d7388e820bfdf
SHA512 764f2866611a08fc1099a5ef45a327f573cadbb54c1cd682cfc6fd8e96451f4f64d4fc433b597cf28040fff014a670df52a36712bf610f8cff9e442c82496bac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 d014dae8093ae5ad6abaac62687ff5b4
SHA1 3e0e0274f69df3d672c65c784b9e21cc2a5c4794
SHA256 497ef0f81234ad72841317060e8f4cbc4dda0e4bfa468a5cff90b86f96dd762c
SHA512 fe1ae58a15efb46c9c66c1176ea0cc3254ec390ef9e7d5657843755a119cc499c4c7f211a5f799cb69336942a7c73b62ae2b520df762e78e08824285bac4d132

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 6bd2eff30041fef2beb482523abca05a
SHA1 8ef98d724d0c6890085c62097b831cba8c80bc77
SHA256 b17b62147f513163fbc8b5aded86819a099130ba50020c9a31dc3a02e392c9b2
SHA512 2fd9b1076f6621b5441251baafa8454b20238ee7706d33b997837da7a21bd0f8626e73509d7ae16a6f46d2e2b173484e2dd7ca4c517eecca5cbf5562a8a01ec3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 bf8bccfc2ec1e59387ed8def3269ee17
SHA1 b8ff4f2bc579c8b30b5c4115ea9855087184e1af
SHA256 89e3db01074837a3c7f91571d2b258ef8e8ef1d0cbc74a9014b7d2e899319266
SHA512 8d2ed9addd9b874b454d3765ee59d48aab5beb9c333b85d04388ba214cf3de802499476f10cf1a102b3b183db0e5019e592e20e0ad76acb4e92dd2682f401a53

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 2828109c43a1bef36482df5b7da75955
SHA1 883d8ab8ad3f2fd3e0f52d4e0fdcba816f9db887
SHA256 f0a0db1793038207e71ecb57db4aac57d80ec3603c306f94a8cd5b29433c3628
SHA512 8736d88955b21afcdf75ae2f48582a0c04ad30683ed48672eb6bdece3dbc162ec2bb1cd566908667868980b621c597fb3ba22a48966ae78f40e6ca930c5a3120

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 9a958c54d58105b68d3a119579873c07
SHA1 be87adffc8b979540059c7d78fa7c939c820fb7b
SHA256 ed41ee99ef1e67c9d212c97b39c8d09d847a371d55b2d58c54377274d325148e
SHA512 893633b91790b58e4b02ff32e967b9fc06d7317bb421dbccbcaa0dd2036fa954f09c9dd16012306535ae929d2714135c4687ca36fa43fc04bc0daf1cf426c396

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 a508cf71507f50e087ec4badd5b28a10
SHA1 951e126b3b064a955192034db5cad374fce3d84a
SHA256 f1f83b7cbb2289860a88f0814e73b1136cd586adf2c34cf90b2294352aa38811
SHA512 e48432255126ef3142f35fb9a3af49f6e8b42e6b9ba27d9f04098616f3306b48259292a4a93c06e34b09788d1355216098dc92f2f781c498d8d991e41328ae4c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 80f1a1e59c72e2c57758a8f29c770381
SHA1 b0e2c3e5490aeb890cade80df2a4898b865ec127
SHA256 6b080e42e3120a52510c664299c1ed43bdc184971ffd929fd0a68fc81e4107ea
SHA512 a50cc100219b83454a8287fa5abdeefa0a9535bd28de97d789252906f20cb414e0adaf53e1e4f15f59bc77c0a1aae8177e37f23ade1a3b3c06076fee6c19ece6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 7a83664648b7e2a6b6e415354519093d
SHA1 4b07c8b4fac4bfd558ff4b76479f3709a8a4d7f3
SHA256 d1e73c04da04f1244498fe2038144555695a1716bf8121ca9826ecf2febd6dc1
SHA512 ac9390b5088b2d8058ec6ef771893d96e9549283672ee9a2dc47fdae2f4041d088da576496583b871f65de58493fbaeb430285672a4f457bf058884c4c494e61

C:\Users\Admin\Downloads\aoEM.exe

MD5 f183eb1b94ad5d60a20fb90221834998
SHA1 9ea17a02f00395b8541eaae556ea5a4557f78cff
SHA256 6bea65d3ab385d4b5561025f2d1f4ecb161c1ba5a6499eafb5df8ab44c81d61d
SHA512 df7129978e11c2fe42ceadd7c918a01ae89ca36e0b53e28a150174422a212fb8f1d3f8def1a450fc03b2de2796a4d2e01f231d08371c5a88eb621ae6b0ede55f

C:\Users\Admin\Downloads\EIQW.exe

MD5 c5e121e61c6f8b735b70bd57b76a96c1
SHA1 c904439b3f05f950b8abd736a8a3370219e60d1f
SHA256 9ac5bca65315935e8c237491f9789e475ede95fce9de1ad081f3af034c6ceb41
SHA512 d419fe0fd5f2de26b94a32bfc9bcd9b1c11694b9f7c0ea7e4621bae64a377d377df4b1da76db61a5289239922fc1eb59f3619a850fe54faff24a5548b03067b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 461c25dad8c6749edbfe7f4d13c16505
SHA1 91d37b7090fa7e2f657612313f2bdd42501b7909
SHA256 487b4491ecd0b972a4a8516f69ae90639b19e38d145a2e0f7cbc0771a871cb0a
SHA512 af48296e529ae9853c4ca76281942df6aa691d9617736330b36a9dfba95520ab6b8cefd6574328c2e48b1f6adea770dc194156967848ce156b29c86ad2f74f8e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 bfc4850204f72c33e17124cc2b6ef04a
SHA1 f33eec4127ea0b73565cecd5341f74a1c4c37b02
SHA256 ced4f8597ec28c8f2a07891972348cbeae2c0afc0bec5638c9e505cb1ba6eb6f
SHA512 925dc5027a84bcf394217d08f336401b474d9dc3b62bf1f75c60fe25523a2fdd821b8a4befafa14a50400fbcbef28bf6bf30bc307fa0b7965c2eee4c980df490

C:\Users\Admin\Downloads\GQUk.exe

MD5 87a649d58b88c30d663b42b92ab77d1e
SHA1 40dd8b1f8d7b0bee86c704dc75904a6705a1b877
SHA256 1ebda7cdf70a506e182d1a7efc6362864cb3065ca6cf0e787ef4f50199d1b5f6
SHA512 d862e93397811ab6449706c1a6a72873c570449f01e4d010297b604aca06a9f5d8f9bcc57d698ba134d07692518305b7c87010d90a393322cc7a6f009c65da2f

C:\Users\Admin\Downloads\IAEE.exe

MD5 5546a1b8a3af8032b41868717afd16f8
SHA1 bccff49748896d24feec4b9d41cb8db197ffa4da
SHA256 9317c53da20c816f20bd10bbe7bb84d8ef7dbf0f049a07a12a5485906a31650b
SHA512 9476e4b8f71be363fcc729170f684ebfbcdf354b02e99c03c9a1f8ca2e3fad998fbc1b458f9361222612e6319908bb2a09d4cba12de4463fa08d0e2e57bd68c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 5737767473df2ffa45e767b4f93cada8
SHA1 569feb1762a567edae57ccacfeed8ebff7a3f65f
SHA256 13ccf26f195e5a95e6e5d0ba5ecb219615689eca608eb284ac8264a03840aa45
SHA512 f43d8d5843f8da17f001ff5e2aa9faaf588fa531a0d2c2e960d47b365dfdbae1f3f7aa0581fd8ab68992001ff574e5562b2e3ca2702b545c165220a0b9550de0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 01c95044dc272819612e7eaa6406b86c
SHA1 c257445b84512aa182aac90ae325a1dc25fb9b32
SHA256 0cb53a40baeaf4313eb83f224f3687202502cc14df5990de1fe0463ce393c43e
SHA512 dda54d91ba2af645c546bcdcac726a6952bfdb9318966b604a3566dc9e4061e8dc3b7700227ee151a82ecaab3a143a8465e9e1d113c9c80d3eb7159014bee171

C:\Users\Admin\Downloads\yUQC.exe

MD5 b959367ae0d885074011d2beb5b8569d
SHA1 eabd808e8b0a6a91f2709bd09224c820871bfb08
SHA256 0ba99d9820bcbeed9d38ad38fa643f992d3d493be7e585142cf9f3f0fb0052c9
SHA512 6e29fe91e433fcd65238aae85b3bd7caa3f4bc340abaef65940afb5ea3a0fe9f899b359ab5b36d122469062a4f89f24b2065bc6b7e48676fca7cbfcf8c9dc616

C:\Users\Admin\Downloads\uEMy.exe

MD5 2b1be6625f3ee04b8602613faf520bd3
SHA1 e7849e95682c741ba82a6f835855c0bc391ce12e
SHA256 09c1e452b183b7141842aba7f174eae4d1ca3312ea8c24becc8de3826f8b44e1
SHA512 a22cd4f509310b2286780f2c245d470de81e51ab795a68fcfc6921c3e76e9b5634d98474cf3e99a126322cfd45c87321c671ccc299ba5d0ca055fa19b7efc90d

C:\Users\Admin\Downloads\UcYk.exe

MD5 6349d5ee1ff4c5e1336e819e9230079f
SHA1 4c578bcee0565d243a2fa6914eec1e385b83dfd4
SHA256 b0aec23aa1b55f17bdb79e28683e26c90d8513d12b194987dc97b7ce47952e55
SHA512 d5d31f3aff414d3b2765974efcda1cdd4e311cf85eae2e914ea9071f71b4f70ec561b47457e5a7b1ad44f00483a7739f87b3f88a63d7639677fa9c7c0ad6f5d4

C:\Users\Admin\Downloads\SooM.exe

MD5 c5ca2356788b75877e3e16c2324ed867
SHA1 1ccfdc9a9caca826a33c9fd2fe4c09511f0416f1
SHA256 1343337122d6eead11dd20ad6f8818509a3697e878098fe41c64b1248b38841b
SHA512 5f45d14cb3b506410f26e3b5001043dc5e0fd94b008f9895baa6d97f9513b789e46f1474620969a7fdc1403dd2d3ca445b5ae516ba95b9208267254d9ac78d9d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

MD5 733d5d7a601cdf5d40a0c806e2718637
SHA1 f080b9b1e7cac394dcdc5fcd4798e58bba460fa4
SHA256 73c6d25476229ae15b48ad8b9f511f4adf97be2aaea54d3971b02ba9072c0444
SHA512 dfcaec22679b639a9cca2b72ad0452c8d4c32721af6a4e88803098f563fe335fccb872ff014a48eb0d1272336a06a4c11dce9505df4b3aec37d67d33a43bd0d9

C:\Users\Admin\Downloads\KUMo.exe

MD5 16f7eb9fb43eee4e4645385823aee1d1
SHA1 9b77ba8429e9eb1be3013aeb3422b65aca68791a
SHA256 c5aec56d9db8fddacf43ffcfb46d4db2f1a3ee54b1816362c7652cd5d53a0c56
SHA512 9c1158c0c400c9f5c5e70b218713f24bcfeaa82ac0328542f7092ab1d55d89265ccb5210bc4dcd337a1cf6c5071fdecaebd0ab5c53fc2bbe091f81c991bd3ccf

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 824ff6c92060f4263b8ec7867682d295
SHA1 affd368dbd28a3e926f39664316716442cb5e91c
SHA256 e901234b52d40af17395335bc49c83b6a8c40dd28872db057670efc7c0a95c0a
SHA512 24e4394ce415568f5cf7b633eb33c467868213153f1c90fefdb14259bee0ab7126b759c3f89009713ffa6f938132161b19a486a1bfcefd273adae850d10fe3f0

C:\Users\Admin\Downloads\wMsU.exe

MD5 1b4a53b26b1895b4021d4291dc18a482
SHA1 7049767e14f032af4559ee3a7c9fe590f04a48ef
SHA256 5495b383bbd6ada934392fc430a1b4737fa924365b864bee63e309f95c7b6774
SHA512 a6ab050e7fae644900de53a0a23eb39d19a06bcc98f21a8e7817c6b7b595ea0ea093eb11b24b275539592e9fa01699f6508b3b4eb79ac798d762eeafb56d74c6

C:\Users\Admin\Downloads\wYsy.exe

MD5 eb0b01a5ebc267f088019b735af21943
SHA1 ff50b654d968438f381b56bd3ac241e37528ce66
SHA256 b609a66823c8edf4354e5f1b99fa846b122cb3b68a2ef8493830b50979cf0c13
SHA512 ecc24eacebe62cbe21b22edee275cf90bee9bef692785978e005630e620eae05cd06da2b9f41d79e9c6182ac83eb7cf2fe1c9ae88b96ddc00914c2b726a3cb00

C:\Users\Admin\Downloads\YkwI.exe

MD5 225171e6b81dd91c00a5efd962fb0afd
SHA1 9f328ce8c15051b44a26078be3a1bb5fe196adee
SHA256 a0a4ef229e9ab42d20f0d3ce2891da80ae967cd5f806b0254bca362099949328
SHA512 49369bf2a8236bb64e59e9a7c15fd2975730a0ff4a0835696ad3606014211c9b1e352c2e4721e258b07b343881af35bb7817cc9cab51d83b9271c77082f76dc6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 1a13850cb20525622580b3ba21bc0f5b
SHA1 7d75d1db9f520d7124f839e3c4572076acd6bd78
SHA256 86db53e8feb065d7e709e87164906e235f7e4c66b47a856792e0dc28283b3747
SHA512 0fbcc9beba202b1621f656a1bf5a010d8110da9d45e273d340f899d01c46cf5b678dbb88e8440a245ce0165ad5b87abe8a04656e5f6033c20ae07ede5565be00

C:\Users\Admin\Downloads\MooE.exe

MD5 aee965a78ca2ccaa9574b21a41c560be
SHA1 f2af6b4eafea16fea5835b235ec4118a6e47adf6
SHA256 6dac6529f9ddff57d53da82ca61482db19a288218c6b1455739e52a76878c7be
SHA512 6c0d7e7be293dffedb7303555a23bed2dc19db30693a4d4852c20b6f3914481643559105edab539fc0acfe6f9e804771184df3b108894acb13f10e05900123f5

C:\Users\Admin\Downloads\gEQK.exe

MD5 fabdd7f53e87efde8f09e5d39d9dedb2
SHA1 e0b0e1cea8061e37bddce7310129a5ea7bf1c654
SHA256 a128f67f2273ecf3bf46d3bf10cf0a39b1415490e4a61e4288483117d63924ff
SHA512 b5c67e8c7e110d79f06c90f6818f59c696f20cd86c759523d0d0d4bb276afd192839fff7ed2b9fca62a2c1ee312ec82bbdfe42845d7671cc5624f997484d222e

C:\Users\Admin\Downloads\qMMI.exe

MD5 cc64bcbfe94822d8d41a00683e28af9c
SHA1 f346d547bb554c5354b5d3cf4bacb4bf691e3513
SHA256 f9bcfdca7f524df1c0da71892ebc58422d38f61253c2f31fbfa052bac424290b
SHA512 5c70bbd69bb10f0bc6347262e2af1c797a0c4d84bef6add4e9d6cfe8368aca8c4449287ada793fe9cf715dadfcd12bfe1bc9b411067982c0275d3baf73719e57

C:\Users\Admin\Downloads\uIIQ.exe

MD5 18e57f5acf1ddde23ad4a40bc9f7a52a
SHA1 3e15da812a7c20327a751869700f1d6856dc073b
SHA256 e0c445223d2986a9c53b8f5b2b4f84ea7b13df1d771e87c740e6360946f24e64
SHA512 050e16d13b8eceef759ea0389e352ecb6eb63271c851842a98df55e339d285f1f8463573947ffdb91be64693ea53f27406d7de3f5887fd1de9725b1540da17a9

C:\Users\Admin\Downloads\wUos.exe

MD5 b3434fa035a2b0c23ac1ef80ee73bdfa
SHA1 f2dcc0daa104f274184c14395dce9500aa993d4d
SHA256 48c26c528a1ec05abcd09dbeb4abac7b4040de169a9cb5226074a94fccaa69c8
SHA512 9e1d2bdfe5d5ed23e4c3c9b248f5cfd0ed571a54f272c476ee8169c5896c81fec954d9ab06f85cce91782ae446f4156e566c18cf4fd012d76b38720608484901

C:\Users\Admin\Downloads\ecoq.exe

MD5 b5969796ddf8fad2d9a68b5afadab6b9
SHA1 ca07f129172f53a01ef9dcfc10a49698e28dc3fa
SHA256 a3e48237af6ff61b5fd9f4b72353e40846602c7c6004b3c4aa0d9cf2806f97e4
SHA512 25e5efcb0ee8d536397decd4eb5ee8684fc7abb840948e5717ed25ce09f357d1267ffc00b49373efd9e28e708d9451941390880f64ea979ad2d56443e7c64566

C:\Users\Admin\Downloads\WkIc.exe

MD5 fce36a2aa330c292bd8fd26aa6641dda
SHA1 371800f281186ffc7ca2e601df07c936d6f4bffd
SHA256 058e6d3b40d17723f3675ee3f45a109ff46852a94f9765a2437bbd3ac1c4e5c3
SHA512 3f9e2c46c450139f4f69b9460f874be064df5fec609a1451acb1be26d6fc5b3acc6bd0bae6eed0d640b764a4f0c61cb134e9cc098559b6034c580bbf4b968814

C:\Users\Admin\Downloads\WkkK.exe

MD5 26cb98b692b74df73b7b3b1ac3ac34b4
SHA1 522ed657535ae0cc07a63055e906f0f58a6b16e4
SHA256 f2495e9a1a9b251b2fd29fd97943681d8601524dd532488f0c2fb40b1b498f22
SHA512 798b46af3c704c0a5733e09bd464257fc18727cfaadce94595841e0e06f3201bad6dc11145befa2b762fcf327d839307251c53ee7481169a0b81063ecddf3f67

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 7769ec8dbbe0fffe50c3eba8759329e4
SHA1 615dc1eda9ffbfa6da98b078602c48221c77d01d
SHA256 e83eb460755c1c74cf954841f7235c9982a25bd3086ce51bed9e59263d4dea75
SHA512 15d3f1ea0aefbe1497a361dce119a8a0db43427d75db1dca696adb25587fd3015be922e637c6431807b62d1dff36f47f70dc44f53db8c2f283eb6b28433e6a1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e68d5bb57c47cb735e686e0386b4c6e5
SHA1 3cad016b5dcbf1e37284e8a6e49f2ad85ffe6488
SHA256 5fd12a87ca4c661ec0bdbbc3aae3dbf04f2e52ee9fc22f90db22e48cc0022b56
SHA512 b87af95e688ba590a7b4339b9524516e7bd3013c820a05cb9367a8ea0ebe48c8e6266aeec17d0218f4b1199ed14cc1a3e8c7cbfdb145a81d4ffd65ed37159ce1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 e3271e4e03b83129f6613c40a8f724a8
SHA1 54eead70851790c437bb5061e5a122a151e650d3
SHA256 8bf5c6f56799ee7bb1276ecfb5f83b3aa51496f913828006ad21b14448c32e08
SHA512 c7bde0606e9c6e8be22f5b7238c765ec4222a19ad98d2333d0be02c33f7b0623a93f146b087dabe1ec7c0c62e13a3cd2846ec933557f15c95569b7389f4571e4

C:\Users\Admin\Downloads\usEU.exe

MD5 22c3199efbc29d9ed6d5cb1e039e9080
SHA1 94d1c224950775a8cd41011f14b656dcdaa90ef7
SHA256 5b87389e8ee6155d79ca655c44f2b8288bf33c305fe6adbf42c7ee55229e5091
SHA512 c35278e370672c0a098d149fa94e13f89998e256f35d1e0eeb908927891539f0bef1c3ae49f7cf27a05bfc7efa94925ad02491eb0f4fa82d4e6c6bbb129987eb

C:\Users\Admin\Downloads\WUIC.exe

MD5 ebf0177e6359aae5bbadecc1c6c70497
SHA1 b3d977cb977e0e503649b56567452298d210126c
SHA256 d36121c7fe3568f84d08dd747d0e0b3bb0db4f3e10e1172627778a67797c91e5
SHA512 d1c28aabdd134dc71ac3fa4888d23923dcc9890caf2263a4b8ebb5a55fb5190acebb40be80542e680cb8c1b9b372bf3e3a75f0dc584b6e43dbd87ffe7f36e3cb

C:\Users\Admin\Downloads\Yscy.exe

MD5 a6114425f2711361324a3dc858bb5376
SHA1 0fd7335533a3b00871b2b75137653e144c1169cc
SHA256 3b0f03a6b76968a119df30d61c19b86aa5a67b59407e9b7cbd215c2ac072425f
SHA512 cb24df0e02cffe03f78e3eb0cba7249a2cff2129dfa335834b7cbae8e00bddafb6b53431f370c4149eabdfec0427be6dd1fe797ae7f87b20cc4a0b26a228a4dd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 024cc0d852de166348ca537597239017
SHA1 99017e1123168774d8ecaf0a699c8a386bccce46
SHA256 ee99fe3362f2a0306f30d054e87783b8a6a4ca2cd45b49deae2bfaa574318a31
SHA512 4b5aa38d6f3a2d6ff2ecd9db86aa9321eeacc82b22fd5a04cec1d4569023d21f96f78aed0c9a956f9a9af6fcc34112f39df9286056515dc825eedb7704a82de8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 ded69390976303fc9a2c5bcb27200d45
SHA1 eafefdcfa03a5f3594d7eabb3dabe8b3914279b4
SHA256 706c067e787b0abc9f028a4c6ac8212aad8d3a40cecb63892af5431995bd9634
SHA512 2ffb8f17db78dd8ef235e081334893266fdf5c2df696eb0cdef5266dade99e86fe7d76255ea8079953e3c36cf7df5af6fa0002d8e65f15c3b86b044726539d8f

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 ac88107abd4a59cf4c3b9d53a74cb908
SHA1 605f47742e8d6e5bf273cc079fe80939ee0f4a59
SHA256 a994bdb214e9dc3c37ecaea3a5dada3929ec48da3a38bdfc2272821f084ea9f0
SHA512 c964fd675051b5465672dee544635609943817b98036de089042c90f104c781820fc76d54b7c2710bc8eb10da8f0f89391c730037130c6e1bf8565a9762a9cd7

C:\Users\Admin\Downloads\UEgI.exe

MD5 d9d0946399500242fc59c77ef230ca38
SHA1 2f4bda5bccf3f7a560b938cf4286c5e8c719a386
SHA256 daf393cd9deb36d5dd113e9ab51c74208c15e91259081088fc30c6ed3577a28e
SHA512 00d84cc1d55568e5b9101cb7e2384ad83def06f1f936b33f368eb2b0879a2607a50baf448162818480798d4f04ae75e5353d956340102f6b32861c6b7cbe58d0

C:\Users\Admin\Downloads\gsoi.exe

MD5 107d365213fac43bba9fa8c9e8fb1d5b
SHA1 ba52d63ec693683ae37b62a518715f2d482e9111
SHA256 4a462ef7d2de7dba00d28b459f7c4398d64d7892d348d0b952bbb1d610897d69
SHA512 b85c657741ee000a58aa0bf26a34ad0117a00fe5d783fc0932143bc05ad0e80cc134dc1bd903125d119df26fd8060404229aa156145915e68fbf878e05d21e58

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 5e6fc0644a9040e373f3bf5dfe31bdae
SHA1 2f6cfa69181094d160ef27de8c25dbc7890f165b
SHA256 bf764d3e331cd98ff4b71a32bd9163a1ffa2e6dbb022d75f9a806a8b0d2a4905
SHA512 d9f88fc280c107f65dbc052bee9ed0da37f8437fe6d8c8f49d39d9676cb276c09c6d27a963163957dbbfad13089003e5712ff2c9a8d729c10a6a5e8a9146081f

C:\Users\Admin\Downloads\IgUi.exe

MD5 62400e4f346f3d431372e8b8aa0f592d
SHA1 5b40b9cab20606fa49de215e0ee4e0642d38604f
SHA256 dd487c6853e3cd373645da9d02c57802e2c4ac09b456566f96e1cd40a0bef74b
SHA512 787e4156f9a8f026b675456236ef2078a46e0d113dc81844e48daa6cdfc37873ab2c85365cb8c6349ac203c1a1ab2dc7d1566d220f2758762f9a30f87067a71d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\0Y5LKK0J\RW1dYo2[1].png.exe

MD5 2c247b2f80280230d8e01aa942d87b34
SHA1 bebc90aa7f448a09f17f7759cb1fa855d4eddc3f
SHA256 760be305115663c4f24bc6624b1249af1e9cc1b0bb2b19d0929e000e59268d2f
SHA512 caed71202272f355b4bc154d9a2701f91ea6aca1bb76ca40828656b62aaa9920edd66499323028d4ff62acaafbf88d2bfb248789608ff8f95ed07dff2f93c91f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\INetCache\DFTDRE8U\RW1dRhL[1].png.exe

MD5 ad1ced106bf62fc5a6729571c932b05b
SHA1 6eccf3d0108aff317b8a242edb4df01384ab3202
SHA256 0949d19b04e200cb4142bac4ebaa3288c3a00f9e7782ceacbcaa1eb04d054dd6
SHA512 ccf9cd4a7fffd4e3f106514239a643f40d9d35e2e9929d7bc6bd0ec2efad32f20d2d94d04c65d1548529a24afc0f3dd7f536a442fd2d478556f6eb8588079b90

C:\Users\Admin\Downloads\wgIG.exe

MD5 ad0bb30f8d952645c788fcb903866def
SHA1 fbba997a594fde186f77a32399437ab2791690d4
SHA256 4541fb194393dcb6a62a9e332a983ff07043cff37985eb179b03a5ab84b81174
SHA512 3c6b83695fc1440bf2a74a480f617195ab71b671dacec3290e0de664c5c7b28faf6816d27ccaf520d54ceeabf659e557492d68b30bcb548db9068bc65977d58d

C:\Users\Admin\Downloads\OMMe.exe

MD5 affcc9005f5d484b14e9503281da7984
SHA1 6c006bd31d861cc3b38ebd7e2366bb8e8cfc9e28
SHA256 4f14f20a069803113c96dd9138a94f3beea2eba2b68d03363e4c911432f42dde
SHA512 0d3220f43dd80c9a4ab949104f0758aa3f1e1dfb5cfb52094e5b5ea35e18e4e5fb59af357bfa92bfabe7ed298dfca4e35705fdfc978f24bc581f286d1a855b2d

C:\Users\Admin\Downloads\ooMi.exe

MD5 44a99d175f12215569b5b93a80ac2038
SHA1 f3e29493d8c73087300e843aba70007e7f2b237c
SHA256 c269d5b9dec5a1a39799fb90e4fbf504256c72ad7b98fe60766485e350863e0f
SHA512 e482f49a4dea82453b3e6b0c406e1681d6e77919d5b72c27861b4d2d6a88267382d481b52d4be5dbcc8c586d9995ede12dab003045f8651b8f4c0b233d9ae389

C:\Users\Admin\AppData\Roaming\NewPush.gif.exe

MD5 a7da94bea528bf2ebeb694da12b5bff3
SHA1 cd8946631c39061e7ff14693fe4bf7a2ebfb9e32
SHA256 8a5f460ff4d6b7c91d94878f5c047da40a298bf8ad6c4d1fc6a2a47f460f18ba
SHA512 53ac0edbbf118bd03daffd576df7417147df1590630b616ab01e91c1ce6aa695c28053cd5994841edb5b69cc4447e7cfed8977980c2639928404bf676692a206

C:\Users\Admin\Downloads\gQIg.exe

MD5 5214feb03cb2e2490c21d50830686473
SHA1 27ebae8a275cd54829eff003d167406d8330279a
SHA256 e999d1639d6b4e4e921fe66d070fc2748653d5e262f84394c1145921b29902c3
SHA512 43ee61e93687de2f0c40bbfbd0bfe2f5c126c040431927a8e080635efbbf20de809a1e7920736fd51394c5b1fcffae90ce841dbcc56a20473c82ae222c034936

C:\Users\Admin\Downloads\KwMg.exe

MD5 42f804fef4566b0c8d295a4612db60da
SHA1 891b688db198f5bbdec1818412aff1f375f0a0f5
SHA256 33227df56350c1597ef5ad1b3c7eba27e2520735510463edfd13ff4105f47dd3
SHA512 a320cd01ee065def4b549623e1f3c19e1715b0088125756892714b309544eca81d602af332b4d8cd7539d596b33663812bd4ad33a8e6fe386ae1a3479a297084

C:\Users\Admin\Downloads\QYsE.ico

MD5 1097d89b9f8ffe7c92f0574f4dfbda3d
SHA1 b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa
SHA256 0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1
SHA512 cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

C:\Users\Admin\Downloads\gkUM.exe

MD5 b56840aa311b1465c7033cc822982674
SHA1 7b15bce6fdeeeb1ecc67a1a959aa5b3c79993ea1
SHA256 7d87f36bf0dd0e023485048e8133080b69c4808e7b975b8f451bc619cfcf051b
SHA512 40f17c3cfd62017bd8f6119c33093fb81bc9b18c2950e4714317f8c8c78a571f6d6f8396917b67fb791f9fe1f391794bc5b3485b5058590dcb6d0b1338cc20f2

C:\Windows\SysWOW64\shell32.dll.exe

MD5 77ee74284a224f97d3dcd4dd324002f8
SHA1 b3113f66d082a2d1514b3e19b413d2cae3e02fb0
SHA256 7e585b84cde61fc26ac03e17b8fe61f867903c5da91e98c7bcccdcdfd4f91e9b
SHA512 3f5641a5221abb293669ee67fefd9357f17b348c5578bf01e8d99ce5f4a7f2e2ed5afd40a959dd6099e2190d7c158c997282700db3073878cb840a57149da9b8

C:\Users\Admin\Downloads\kwMy.exe

MD5 3ee4e14e53547a624f15c9f05b2415aa
SHA1 3a0dd81ef4359fc3a0ce62e280a4223eaeea397b
SHA256 2960c2aee8e8533eb4023e9ec1f7f62787df29249ca971cc0918a8de4d2f47df
SHA512 ed52c8bd33b213511bdf424fbc10c9e2545af0b67ddab8756e107333961d9212f4322c331cd0609e02597243f5edacb8d713e9bfcb69d50b8c0ccea4ddb634ad

C:\Users\Admin\Downloads\SUAo.exe

MD5 e34190522bca9d1d460edf776e886d0e
SHA1 ab156cf708d94858cf9450c7bd35c185bc2a4a51
SHA256 93570f14b7a42cc9301c8f1cb5bb5de570796da9b77cb5c770f074c501381da5
SHA512 a3793516d3281ecc25a7dfe2235391238c443bd163ce9f29a642578f37f05a0b12534328b9f4a3c70844088337b4484f4cd1d90e52b955b0aad02b97aca6cd31

C:\Users\Admin\Downloads\UnregisterPublish.wma.exe

MD5 d96373d9956d15758f93a0ca7b07e8f8
SHA1 4b2d95f7bbddb2048e0925327dd6976d1f4cba17
SHA256 34fbe79f15c695ea4204d0bc1ea4400841fa0e6b7fdf7c74f2ef8e5d529b8154
SHA512 8cdab154b99b7ab9792a0b7df20ddd20934e2cef9684d37e0aafcc95b47a73e6f872ac7d3e9e595080bbd317405cb513f7456636304356fcd663b397b0fd6b6b

C:\Users\Admin\Pictures\SkipUnregister.gif.exe

MD5 b22a4af28f51d6db8c2afd5c071f9e5f
SHA1 522ded1fc99862ac262cd36aab09326dd768b11b
SHA256 d38d49b43783f0250aa75273e6a20edef4bee7040456cd311729c6375d369349
SHA512 5711db7af49f62628a7e4c66540ce8c8747983af8219566294f67048aefdaabd43292e512eaad59d188b7715654f9221f9da36ed188dcdd030c92ee193953189

C:\Users\Admin\Downloads\KcMq.exe

MD5 7203014403e4e66e9a732dbf47bbe793
SHA1 6233a3022279467b2fa528de6450a23fe397c3be
SHA256 6aa68c8614e7e5f87192f2c5f8f93ea660b67c88486d51d004145d343bbd894b
SHA512 3613416f2cc7dd465cf92bcb3b70483990f03de9700e12a5815f3c4aeb34728e451aee58504540301d4576dce6e213941522791a3f31aa5f109e7b088ecbc37a

C:\Users\Admin\Pictures\UpdateReceive.png.exe

MD5 8d4d595933d8f811ba950d17b80bc4f6
SHA1 7ff76b500f776141552a85cc1504a70b6434485f
SHA256 63f557b1d6b19cfddf5419e16794a4b238fc8e15dce4e72c988b215d92ca93df
SHA512 27058c65387703c66145701a4aac6020b37e5da4d6161cc93005997b3860bb6904662c238b728523756e77df5cfb77cae0858b6b3566fa3fdcde6e580fb1a557

C:\Users\Admin\Downloads\SYoa.exe

MD5 7bf37a29c3c24d6cef64ee6cd4864e6c
SHA1 f7abdee9761e1bdfc4407cbea50388e898ebd0ec
SHA256 4a198badc920761b3dc90e9899da917a11b56ede6e8c62f1712dbe90ad2f961f
SHA512 d1d78071284059deaa927893327e992eda5bad9c4ebe0ff7fc5be5604b501858547b4146e1fc60c909c61d5e7317242ee71cc5f71a5e4a39fcfef85aa2514a3a

C:\Users\Admin\Downloads\EocK.exe

MD5 ad34cf6afc5287ea8a835f8e8d2dcb83
SHA1 65a7a75840702e02f44473277c61539508569b59
SHA256 899ea9489593d6622fb7d3389a66fc0a77f85676c2e65b47a665751f5e23b3bc
SHA512 50a4c21d75cf9a5a55a7ba4836c493e5b23968a5791d7d649179c590e3f935b594ef33aeac1329282ecbc7cad0ab1ce9dee64f69f12de568dbb957100fe38087

C:\Users\Admin\Downloads\isMk.exe

MD5 a0f93a2683b94fd24c98e6838d04dd0c
SHA1 ef684f9d1dbcd58e0d5d9e76d9165c284aa414b9
SHA256 f73ae7901d49198927913b40a5208e4a65646a8c05245edb099baa067817e050
SHA512 d9b473ce6694ea7cf3b64bad9c7917c3bca69043771ab61e19b3ad6ae7c89d8f8b55fff8109f44e73f0708938269b66399fc99fa25ed83c54432afea3e16be5e

C:\Users\Admin\Downloads\GAws.exe

MD5 fced9537236d2c98110b3c3bd5391482
SHA1 3eb8290d6b10fd60d5da1d5f9f0ccc8809e32407
SHA256 e57d2306f982ac42641f5d913d83f4df848f31e4bf31cd9b08956f2021b0f6bb
SHA512 f51b166b6ae41459358584236df939ec4fac73ae03b63128ddedb676b083d5ca4fdc5b11c658b598e52353c43ddbc3a560905ec470675a4e552eb24bfa6fe0ac

C:\Users\Admin\Downloads\Ywcu.exe

MD5 34b5e7987389866ebd6285542af5a143
SHA1 1686b92435471fd69d978a3973ed525e6d97e2f4
SHA256 5744fe6d4b258b0396528f4662b539d0bf63d2b2bef43693ef6421c5daf56672
SHA512 875bfc9fb77887d3aadac9984192c21e137ea046e3b598775dbc0f1dba769e23dd09c003a61ab65519bdbdf1be2f178772702b85629b3c67479acdabb3b06ab6

C:\Users\Admin\Downloads\ywYs.exe

MD5 166de49055050edfcbda6d0e061da0e2
SHA1 3a4578f45b67fb1eddbb79d2d37aa60bd2e0096f
SHA256 558abc4e58fbe22a914ae9d8fb20430c52dafdf2b52250df514f2820e601bf62
SHA512 cafcea5886f04ac0ea104b090afdcf236fed929c4a8183f1435dc45718d48a45f59ad8a7808aa1a50f6e42993180f160d656cc89dc522a77565ab42cdae45995

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 97d0b186084b4fba094088cf3fa74d92
SHA1 9eca9ef49d1e2b5ce6ded79c7f01c572c0a21ad4
SHA256 e4b7b18d24363eb7853270ab0d22a00468df4dd80093289aafd3e9802517dc03
SHA512 c344ac19a2a9dcefd7fe4668a530d10560e6d6681835d4be44c3ea8e06ea22c05cbf5bb9aeedc5d188b193dde408a376cdf024c6a1a0c2a86d60476c72a37c42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e7d859170a4c395108e530848617b857
SHA1 076d998c1c555ecae20489e8b90431d0217a67f7
SHA256 100cd0c20974dd02faab28eaabdbd59cdf9e51e2ed4be775d5e1c9597e06e49f
SHA512 ea66c19c499dc57d092469799c65836df7cd7af4b68cc32b01c9b0ae4518ccae46bce7a951a757d15009b8b0a46ed49085de25dc0aaa47bd3a73c1f24dc0de19