troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase/tree/master/ransomwares

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares

Score

10^/10

troldesh discovery evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ZIswcQIw.exe

Executes dropped EXE 64 IoCs

pid	Process
4316	skMYEgEo.exe
5476	ZIswcQIw.exe
1364	[email protected]
1220	[email protected]
3916	[email protected]
228	[email protected]
4236	[email protected]
6036	[email protected]
5812	[email protected]
5604	[email protected]
4004	[email protected]
5628	[email protected]
5952	[email protected]
2164	[email protected]
5020	[email protected]
6092	[email protected]
4004	[email protected]
5056	[email protected]
5836	[email protected]
4260	[email protected]
2888	[email protected]
1760	[email protected]
1124	[email protected]
1204	[email protected]
5992	[email protected]
4164	[email protected]
5248	[email protected]
2532	[email protected]
3972	[email protected]
180	[email protected]
6104	[email protected]
5928	[email protected]
5572	[email protected]
5812	[email protected]
1204	[email protected]
404	[email protected]
1368	[email protected]
804	[email protected]
2320	[email protected]
5712	[email protected]
5036	[email protected]
2864	[email protected]
3600	[email protected]
4412	[email protected]
5572	[email protected]
408	[email protected]
4008	[email protected]
6036	[email protected]
5572	[email protected]
532	[email protected]
3556	[email protected]
5852	[email protected]
2932	[email protected]
6100	[email protected]
1788	[email protected]
5032	[email protected]
3240	[email protected]
3092	[email protected]
4804	[email protected]
6104	[email protected]
6056	[email protected]
5852	[email protected]
5068	[email protected]
5924	[email protected]

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4516-250-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-251-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-253-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-255-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-252-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-267-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-268-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-287-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-289-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-308-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-355-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-749-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-1186-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-1876-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-2728-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-2773-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4516-2804-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skMYEgEo.exe = "C:\\Users\\Admin\\AwMcYMUA\\skMYEgEo.exe"	skMYEgEo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skMYEgEo.exe = "C:\\Users\\Admin\\AwMcYMUA\\skMYEgEo.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZIswcQIw.exe = "C:\\ProgramData\\yQkAkMcQ\\ZIswcQIw.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZIswcQIw.exe = "C:\\ProgramData\\yQkAkMcQ\\ZIswcQIw.exe"	ZIswcQIw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YUEY.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\ikUK.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\CgEo.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\BUwu.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\ccgA.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\SIwC.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\LskQ.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\SkYm.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\sEEY.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\mQcK.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\OwgE.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\logs.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\pQYU.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\kgEs.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\LsQq.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\qkMS.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\xQoA.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\WIIO.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\sUsk.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\XAYk.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\zkAY.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\QEYe.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\iUgG.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\woAW.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\DogO.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\sgQQ.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\koYk.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\YUEY.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\hQAe.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\JwEe.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\QscQ.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\TscG.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\pgEU.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\EwAy.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\jgIE.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\XAEG.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\iEIO.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\gYcW.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\YMAs.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\iUEK.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\GswQ.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\HYoc.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\OUcs.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\JIUg.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\dYok.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\YsMW.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\kooO.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\accq.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\OwgE.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\ykcU.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\cAcM.ico	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\GwAM.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\ewEi.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\rgII.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\sUIW.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\bsYU.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\BcUm.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\iUgG.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\UYoK.exe	ZIswcQIw.exe
File created	C:\Windows\SysWOW64\sUIW.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\vsIQ.exe	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\GoAU.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\xwAK.ico	ZIswcQIw.exe
File opened for modification	C:\Windows\SysWOW64\DIYa.exe	ZIswcQIw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skMYEgEo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690382534892017"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2112	reg.exe
1604	reg.exe
1768	reg.exe
6096	reg.exe
6120	reg.exe
3364	reg.exe
5824	reg.exe
4692	reg.exe
5808	reg.exe
6028	reg.exe
1688	reg.exe
4920	reg.exe
5584	reg.exe
5628	reg.exe
5940	reg.exe
1688	reg.exe
448	reg.exe
1156	reg.exe
6132	reg.exe
1624	reg.exe
5668	reg.exe
2136	reg.exe
2752	reg.exe
2604	reg.exe
5860	reg.exe
3832	reg.exe
4420	reg.exe
5736	reg.exe
1364	reg.exe
1144	reg.exe
4784	reg.exe
3848	reg.exe
1900	reg.exe
4540	reg.exe
1168	reg.exe
3496	reg.exe
5308	reg.exe
5168	reg.exe
5600	reg.exe
1524	reg.exe
5916	reg.exe
6040	reg.exe
6104	reg.exe
5720	reg.exe
1724	reg.exe
6064	reg.exe
5496	reg.exe
2052	reg.exe
5508	reg.exe
3596	reg.exe
5704	reg.exe
5056	reg.exe
1104	reg.exe
924	reg.exe
3528	reg.exe
1496	reg.exe
5020	reg.exe
5896	reg.exe
2488	reg.exe
3592	reg.exe
6032	reg.exe
3848	reg.exe
632	reg.exe
3556	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
4516	[email protected]
4516	[email protected]
4516	[email protected]
4516	[email protected]
4280	[email protected]
4280	[email protected]
4280	[email protected]
4280	[email protected]
5560	[email protected]
5560	[email protected]
5560	[email protected]
5560	[email protected]
5768	[email protected]
5768	[email protected]
5768	[email protected]
5768	[email protected]
1364	[email protected]
1364	[email protected]
1364	[email protected]
1364	[email protected]
1220	[email protected]
1220	[email protected]
1220	[email protected]
1220	[email protected]
3916	[email protected]
3916	[email protected]
3916	[email protected]
3916	[email protected]
228	[email protected]
228	[email protected]
228	[email protected]
228	[email protected]
4236	[email protected]
4236	[email protected]
4236	[email protected]
4236	[email protected]
6036	[email protected]
6036	[email protected]
6036	[email protected]
6036	[email protected]
5812	[email protected]
5812	[email protected]
5812	[email protected]
5812	[email protected]
5604	[email protected]
5604	[email protected]
5604	[email protected]
5604	[email protected]
4004	[email protected]
4004	[email protected]
4004	[email protected]
4004	[email protected]
5628	[email protected]
5628	[email protected]
5628	[email protected]
5628	[email protected]
5952	[email protected]
5952	[email protected]
5952	[email protected]
5952	[email protected]
2164	[email protected]
2164	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe
Token: SeShutdownPrivilege	3164	chrome.exe
Token: SeCreatePagefilePrivilege	3164	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
5476	ZIswcQIw.exe
5476	ZIswcQIw.exe
5476	ZIswcQIw.exe
5476	ZIswcQIw.exe
5476	ZIswcQIw.exe
5476	ZIswcQIw.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe
3164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 1012	3164	chrome.exe	92
PID 3164 wrote to memory of 1012	3164	chrome.exe	92
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 2788	3164	chrome.exe	93
PID 3164 wrote to memory of 3824	3164	chrome.exe	94
PID 3164 wrote to memory of 3824	3164	chrome.exe	94
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95
PID 3164 wrote to memory of 4452	3164	chrome.exe	95

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecf02cc40,0x7ffecf02cc4c,0x7ffecf02cc58
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=308,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1576 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4544,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4340,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=972,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5332,i,4259695905726017466,10621974722519860739,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4828

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
1⤵
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4280
- C:\Users\Admin\AwMcYMUA\skMYEgEo.exe
  "C:\Users\Admin\AwMcYMUA\skMYEgEo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\ProgramData\yQkAkMcQ\ZIswcQIw.exe
  "C:\ProgramData\yQkAkMcQ\ZIswcQIw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:5476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
  2⤵
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
    C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
      4⤵
      PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        6⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        8⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        10⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        14⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        16⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        18⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        20⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        22⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        26⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        28⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        30⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        31⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        32⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        33⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        34⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        35⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        36⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        37⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        39⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        40⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        41⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        42⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        43⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        44⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        45⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        46⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        47⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        48⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        49⤵
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        50⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        51⤵
        Executes dropped EXE
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        55⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        56⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        57⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        58⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        60⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        61⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        62⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        63⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        64⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        65⤵
        Executes dropped EXE
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        66⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        67⤵
        Executes dropped EXE
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        68⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        69⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        70⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        71⤵
        Executes dropped EXE
        
        PID:6100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        72⤵
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        73⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        74⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        75⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        76⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        77⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        78⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        79⤵
        Executes dropped EXE
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        80⤵
        
        PID:5268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        81⤵
        Executes dropped EXE
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        82⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        83⤵
        Executes dropped EXE
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        84⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        85⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        86⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        87⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        89⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        91⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        93⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        94⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:5644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyEoUUww.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        94⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:5840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xicMUgcM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        92⤵
        
        PID:5812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:5704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymIsIkEo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        90⤵
        
        PID:5932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQgAEsM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        88⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMMUEUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        86⤵
        
        PID:5604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMMcQYIM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        84⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:6092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:5848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmMYsowM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        82⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAoQsgsg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCMkUMEU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        78⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUUYQMQk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        76⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCAMocMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        74⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmQoEQwU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        72⤵
        
        PID:5988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQsssQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        70⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOkAsMAc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        68⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQQYQggQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        66⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMUEgEYU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        64⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKAwcMsg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        62⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEggoUck.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        60⤵
        
        PID:5340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMMwkYMM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esQYIwQw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        56⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCgMIAYI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        54⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUUgYgUs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        52⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgwAgEc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        50⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMwAwUUY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        48⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyYUogsw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        46⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:6132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIAEIcYo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        44⤵
        
        PID:3916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WikYMYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        42⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkUQYwUU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        40⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYkokccc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        38⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:6016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoUEAIUs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        36⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIEEoEYM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        34⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekEQAswI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        32⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:5808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYwowEUs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        30⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGkggwIY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        28⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:5736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cascgIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        26⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocscccoE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        24⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQAcUIIU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        22⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIQMoMwU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        20⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyIsAAAI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        18⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkAkswoE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        16⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECUsogMQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        14⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKswUUwE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEUQEAMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        10⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWYUYAIE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        8⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4224
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:6132
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKokocYU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        6⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:5628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:6064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:5836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kikEYMwk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4588
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joEcwogA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
  2⤵
  PID:220
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5520

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:5604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
  2⤵
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
    C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
    3⤵
    - Executes dropped EXE
    PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
      4⤵
      PID:5824
    - - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        5⤵
        Executes dropped EXE
        
        PID:5836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        6⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        7⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        8⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        10⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        11⤵
        Executes dropped EXE
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        12⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        13⤵
        Executes dropped EXE
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        14⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        15⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        16⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        17⤵
        Executes dropped EXE
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        18⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        19⤵
        Executes dropped EXE
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        20⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        22⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        23⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        24⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        25⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        26⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        27⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        28⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        29⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        30⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        31⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        32⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        33⤵
        Executes dropped EXE
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        34⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        35⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        36⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        37⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        38⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        39⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        40⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        42⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        43⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        44⤵
        
        PID:5768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        45⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        46⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        47⤵
        Executes dropped EXE
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        48⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        49⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        50⤵
        
        PID:5228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        51⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        52⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        53⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        55⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        56⤵
        
        PID:5616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        57⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        58⤵
        
        PID:5884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        60⤵
        
        PID:5724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        61⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        62⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tawEUcgE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        62⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIUogIgs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        60⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOYcgAgY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        58⤵
        
        PID:6012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:6016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIIUwoMc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyEIcMoA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        54⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKUUEcsY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOYsIwIk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        50⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:5496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cogUYQgk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        48⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwQUQQAo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        46⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkUcgAQk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\degEoIIw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        42⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgYAQsUg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        40⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REcYYwIE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        38⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:6032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMcQIosU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        36⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMAYgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        34⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGowIssg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        32⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoIQsAME.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        30⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUEwcsMM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        28⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuYIUksQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        26⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voUYMEgI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        24⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcUwwgMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        22⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:5940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEUgMIQE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        20⤵
        
        PID:6068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuMkMoQs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        18⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQgUwgIg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        16⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCEAAAYI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        14⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYgIYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beMEUowg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        10⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSEAQggw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        8⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1156
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5720
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3528
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGMEYMMU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        6⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3408
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:5860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWYkMwIw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5560
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4916
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIMQQAEc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:6020

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:6028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
236KB

MD5
b0a103b877fe7c8ea3566d964525989f

SHA1
9dc2dc614162df44412fe5c28031b2799e53b959

SHA256
4d214a3ac51827f5f73ae8398ddfa8c5a960f995b296a3ca42bf3f71caf43522

SHA512
5c7685aca1eda5966ca0e2182bfd0fb4716fdebf12aacd8ebfe192fcd2266e8775c6aa9a2b5509fa032ea848ebcc81b99bbdb20d77a5fcae9df14c3957f2c70b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
218KB

MD5
72004bbc342937d5a438c8991861fc8b

SHA1
1287b226e1f9e78b7e6ebd8c92a3d1e651caacfe

SHA256
3063c2acd62ec00d129044464731882b79e1af53bf410bcb0f637f5b876578f0

SHA512
8003aa35333ddd8510f0c7a96d1dface95fd5077c59281b3d14daf0a0d96b485d5902dfb20d657fdc194fee0661550c3992b34d2bd8ef9e8225c2931ef111888

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
220KB

MD5
6a0af60a15b3a15a101335cbc0b83233

SHA1
74f3910ead802d17829c9ce8e796b5c4054168ec

SHA256
255e5dd6d96bbe6f2390de44cfcdca76cee29fe4335459f4e93c0f8b1bb62993

SHA512
ab56c3f824e7a3e260b05ccdaf1508f310239c32055b120ab8c9249adc9b23b7f3ff3525e247db9c95716d3f4fe045e4af2fad3f76b81590b8b3630a723e0ed0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
781KB

MD5
1feac6ffc90dfc5cd52e9eb4899834fa

SHA1
712dd3cd8061f87c0400f298c34151d6b8b93ed7

SHA256
c89a6df71a38193041bdbbb3691d1f351397987aee3b2c17fe1cfdf956491de9

SHA512
41aa63aa52c7bce6c57fabd9cb73e9cc1c55499e36bead47589f90167acd07bc1232c7d1564f5cb9f039d2e7b2ce8266a81f32c5380a923e4f7b72d37118310d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
189KB

MD5
2aade170eeeb71911cd31de9fac444d0

SHA1
52575c17fd0fa0e4e0c76a7a54c7bbc5b69ac6e8

SHA256
72622042b47c0d5e180704cdffb3f0adffb21fada8f46a6b81d578b9d1b833a5

SHA512
35bdbcca353ed77b89c1cec4b819574e0f596850679dbe03e36c42e2e99f777f5fa901137e5b858f5050d5c8bd097657804de04855b8b15f64ad9dfa74db76c2

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
817KB

MD5
bb0a157f17115f3f842e8d67f17b870f

SHA1
1bea7fbde32acfb2a2ea242bded553a240165a46

SHA256
2e6f93bb778774dd44e910b4e4bdedcb3d3c5118930525f797a3e349f04e1274

SHA512
390b3885bf2f168c2a211a300fb6a238d8b1c30279fd2902daf548a930a7590b83e915f229fab20186efc09454dd786326384adbaae295d290950db8d784331b

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
827KB

MD5
ace452df4e60021e55b33e45e9dd3884

SHA1
aa340ef7ddac922ac72a5d6be0474c22a6aae6b0

SHA256
1813ac0669d84059c3808cad6ae2faa31a7f58cb9420fd0b1b544e71cab9d908

SHA512
f606786a072de3e783619aaf6f1ee1a738eca664d37557977baab6a22dff71dbc300f9ca76f65fa399f88589d8b530b4168eb904dc46d77c5e9cb2998c4f5fbf

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

Filesize
809KB

MD5
7cc29e586ec4cf71c660226219fb9777

SHA1
767a10af2fcd2ff1e02eec47b103977a66468d1a

SHA256
5d392dfc4b60035b1493a6c0b651004333945111dcdaabb1d21737b39738b58c

SHA512
3a91d87c6659d8d7ae41b27531ac0a61c3d33c4c8357920c3ba783f5b87504549ec21ca6c66b5ee46f4000d9ac1c4d6904e650002c974573d9b25c7816fe2488

Download Submit
C:\ProgramData\yQkAkMcQ\ZIswcQIw.exe

Filesize
179KB

MD5
a531ef3fd70a2544d78eb7e5db963cfb

SHA1
7431f3ede73c452bdce524d1c681c77a07b4c8b3

SHA256
83b223bb8c5876ee49bf7a63e9928496209bbb42350895e649457fea9c102891

SHA512
21501c27891822b0f5d402f08fbf1abe5d011b009b8803a8b375761db47a426a334c0dfdfa15ebd1e12fd1ad4c3fd55891b540db7e2cdcf11075086fcc3ea129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7df39e4a6387111fd905854a82374933

SHA1
3b26dea2b3e3829498be7e1ca0e49c83c2901e50

SHA256
946baceaf9cc6c490f25ea931883a8cfca6c00c736bf4077948113d64966dae8

SHA512
fd1acb2033a1a1f97fed4f1a46ef991aca0f286bf0c32ab4ddcbe2f4381454be48e3d5b038b5b855739616b3f374e41a3c158679fd0b75e6bfea02253686bc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
02756d3c17c269b7971b7d0df1460fda

SHA1
b66ac74a2400e89092b40a7d558a52c4c0603369

SHA256
f1ca21e968725d4f1cdb7b0c7f58bdb9cdd650059611d721661c3e1eec5d1113

SHA512
53405630936a49b75abeabc20b01e713c918ad0b98173627ae674377825c19704ed81a09965affe4732427c2f5103655ef4b3d0b7fd761843ca66e28c12bef83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

Filesize
252KB

MD5
cb4ece9fa8f405b87a9c75e64160f356

SHA1
45f697d495bf0a426f65de30f901601efecf7f3d

SHA256
1e213a772b264b4e434dc98f5a3f9486dbf9533475cdf5e1b361aec86af89ff7

SHA512
c264214fead50ffb35bc67aaadd7ae63c0d53c7681db510fa6356b22a67b568f1dc3a9e7c54e3d76ee8c33535051eb0c01d531c8964dbc59a41bc23fffb05797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

Filesize
185KB

MD5
ae4ef69524be958c692a6ed5091149c2

SHA1
4d366e39d7aaf02a93f3fd111936423fde370335

SHA256
98fe9f1b507336b9ec512f052b119abed5e9159fe3343e97fa79aff2eea45a41

SHA512
b901865050edf4119f1d74074270a9ec2da1a91911e18c71e1929b67ec9301426f2ab540b85a728ad43d18f0e37a4c335e5892aca3f7e2499de5acee6f30ad56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4ae1410b395fbecb148df79e8794d7c0

SHA1
081481f7d4afc699439b78b2cc0b3526995a9a03

SHA256
561f16a32c1fb2c3bc8c3b337edf5cccdc005ee02475b9604bf3cf9829b46469

SHA512
b5edbd217c175e67c56b70aefe31fd33a1e18ae823b0c42fdf23d25451dc0afd246dad9851439fa16b01307ef696dc2d204c6c5c68fcca52e51e43a850f51f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b7e70a1c20ff61138317855c626d1128

SHA1
aeb512cde5e91d50785495a506408742276aae2b

SHA256
29f662399ecaa7b1e19b99424e210020d1ceef93ab1e0ddbaa99410a2f5a0a0e

SHA512
9fd0b5bafcfd901358d44df51f23d8ee15eb4ddbdb4475c577e7bd7845d37e5d92099dd4cd82958dd0a0f51952fe171fc5752cb7f9516ec9fbf45ca9445255cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
93199d850b7caa0fa6634f1eaa04b565

SHA1
34e8ab3c59729ded0798b478f3cbf6a4a6898e2b

SHA256
cb1e8babe6ba93fcc899ff323b7b3d814440320e1cdd1b941b4e29ec96329299

SHA512
7268df5a6c5ceecf2a01b9c922205a591cb9eb3c3bf234adde30e21b13865691ebfb4872d5adc199dca06b1d0cd8ca9f63af7b34e87c391f75c5c2bef00f5483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
979a645bba128ac60b9d61227513047c

SHA1
c023e82f13d57b3fe375e2676e4f1ffb642b258c

SHA256
8f6191d86a56b767ffa038a6116acc2bdfa13125c8164b3d668f14a9d5575e9c

SHA512
aaac7be4429e222b3ec7b1df679994c270b27659f8c42075693a8035b19aeeca8b45a7de0899040c94b711434621ae9c4f530e4dbba67e92c4dc18bfab01a537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4dd9a2e01228d9a4f127fb09d7ad5be1

SHA1
1f2d1a6a4608519a12d2d72de919671cbcc11e6d

SHA256
87c465b53c99d576742620246048a7f3bff272db4a6044f8ee680587ff5317e9

SHA512
8432b4460ab28e26933a7c60c93692168c66a9c8b3baf06649b2d8bfbc224f3bc355c9e863c454bc02f040492aebb90b02ff328865a2724821361dc8fc442a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e737f3dac58fed5b3a95d59517331f13

SHA1
ce2dd5ad1988f5c14b9f229db04336e72bfdefe1

SHA256
14c3d92ad479edd50b44b8d9a8106f940f178a036217adc661672cf3089a07a8

SHA512
e97d44f665842627201abc027ffbaf4aa36dae9987225b78532da5daf4169392f00064892ca65fa85ebe48213f34e11a5bd2c5fb664926898335ad8b0d650695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
512a725033be3f4ff9254c484693369f

SHA1
9d6d310006f7b7e8b3ff0647276426bccc73d9f7

SHA256
55b54b9361e889f055fa270e63fbb9a870b0fbc602e77054bb749bad2b5aafd1

SHA512
178d27dc099263222a9363eb0de93a8e617ee82629049194c306fc3d6df9f2819dad9c05b6a534679f7867c162f96316fb7507285db44d26564c945e79e1e6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a4afa84105445c95ff2e345435c5fecf

SHA1
4b0aac28b5921963e5b36d686a29fe770ceff7d4

SHA256
0709b160649081a449d40b989841c016181448c25dfce61735ed480180da3ab3

SHA512
0a963b2f49663b3146df1afe549a0b8b92708a68bc0ce6f21fd7259237f5295dfb7876d7e89dc93e51043c54319af1c991fd9b9cfd51ca1231aae13899e825b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
976ad4614383eda14d5c4cb6fb1dc996

SHA1
65adbb18212564fbb197182d8356d95bfa70c7d9

SHA256
b15e260e01e9bad880418b4dc3ce4b6af7969dd9733c01ed5a789549033052ac

SHA512
8c47e050930ac05693637ee9c7c00d21d174d6a37daa0ed2e189873c285e2908d7bb343a0772040ca76f034f2b74c9f77b8c8cb1196a4eedca32cb765a566bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74225303a71df82405a8f01fb5fa972f

SHA1
0b6d48b084d1909e82f713305a113fedc67ed14f

SHA256
2846301f3b979555ef9c597fd61da62f473bd864e2bd2b2c6e3aab74b342ec96

SHA512
7cf8fababcef44e53dd60e7f08482d748f0fdc013fd76094f4d316636146201b8a7a5e3f387873cd623e60561a8ab767291eb2382a19d30151b4f99181124216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5771c467d908a929e618c2ee9197f779

SHA1
88a53f56cf749fa1444ec47246f9384aa29a4efa

SHA256
5dfd4048cfd6253e0681bf25d22a1dde0a7cf4709d7ff0a717a3bee6aa5750ea

SHA512
ea3f9e8118880e7c68523adb84b4ec34b26092b37b0c5317e7db330e5215a25c972fb1f807481c35d8a9baa86d0534f3a821c665d90fb9f21955afbf97e29f5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d196517e90a559d94ace4fd132c94bde

SHA1
eb401e2a3c61a51538ca5f1d0beec0f79c811f77

SHA256
af13d947c69461ae326b5c94e7f52381ace1beac2c43b518f328b805eda9e1f4

SHA512
a5725589990c83c69cf96b33cc0c719e99be94905f0a6f718e50157601d4cb0dcda95f88a95da3855f021b06b0a40153d6dd0d1acdb3b7bcdc44c433091217ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f93e6eac0ef7a0ff71f12e05d07a3565

SHA1
8dc42c51f1ff91802fcd36f5ca51d299a5db9a97

SHA256
17725800dbd1eb5e8b71e95a2d443e54e3c8e793d24abf4447566fdcb0787921

SHA512
6496184e15549efb0318184ee0164a6f731d8b9d140f908e1132cd2c076f512cf1b0390813cecaec52da392da5379c516f1b807cd55620ac09c22900bd33e5ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e2c292e3370bfa72c4af386b6fc7493a

SHA1
d81da56e2134f2cce7d22ff7aafd2b7773593463

SHA256
22cff8fcacf1447d74c34051541242327205042b0542287d02a69fdd55c8e215

SHA512
9767866263bc98155c9fcd1728d108e3a987d43106a8faf55f60cd288a095e26a013c0e6ffea92d0641229b16057508abca834ba058c64a432146f7793816440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
096bbd6ad8a06f5a8c5d79c32cf55e48

SHA1
eee64d109202a382bd5382081b53ff9b6c497bf3

SHA256
7e9cb2c5674e09f37786db36b80f1633e11ce16a01aa12664913b00acc3f3269

SHA512
30758522b647ba478575bb9267adca4d237f2747c6b5ec656e52ad2addae5b476ee7fc0e1c2056eb47a8bd16c088828d0a2baa332e8403b6e80de53f708bbfd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcb44c4a71d9bd134ca56e1fae6d8895

SHA1
ba3b572d05d5eb3e153feec27240efec7f6b1b0c

SHA256
1f11557024e1a5ad544cb6d00cb90bd8a41339933311c526ced01f86441a5e5e

SHA512
ebea70419c76f7da1999f61c06e8bc2a01e65ff45aae0ca7fda737f31a6efe6ffd570c3b6725e652ac6c6704d0a9363657d17d6b178b32ce65a78f4648946fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7b19fea71b4d9aa4aeadd94467c2bc28

SHA1
8deb31ca4e77ffbf74610474c5a842cfe061c503

SHA256
774c73f0a366471c298ebbc1bda6bfccdc3e3ee00848bad7c72591bbecb0662e

SHA512
d6cbd73f9ef5d4b423db33eb571cfdf6e68b2914177b2c26412a890acc75fe0a46dcc0168f160ae2a17d199b7f6956552e7b010c5b11235ae4c0a4f9cdafd74e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
de505da22f9e7640f9b6baab16be7371

SHA1
66398e59cc6ed48ad3d3271c4596e41fa3b36950

SHA256
1ba5d3ab1617a463da84ceb2dc218a195afa5261cf406ad673b00f1b8becb586

SHA512
c3fa9aecdb707b3273ddd1a8da44cb83a0e74ad603c3a7ad98628e5a890720b50f09ead35e3b03497071815eefaff91d7d75b77097b576226811251a68204b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4d3fab0a94992933c960ec20f82f808a

SHA1
881e30d11368c45c2248429e12f1a10e5cea4006

SHA256
6793d7aa7390d84b5651475ead3c50ed945b5164eb024c36a4b11a270bba1e03

SHA512
92f90797cda89ea8a93942aba0490601d69e868d7376ee85bb529dc853371895fbeb315d650d9495b4d71a19c9b6b99ce99e4d2bb19f34936c61d88e80d173b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
212KB

MD5
73b43b026549977a9b773bde53daad9d

SHA1
697227dc543caea5a20b0ad68619ad8a46e9eeab

SHA256
5ced4e685cc15fc7091e469c4a7485d8cc687c09827cc1972f9d9ad675eed245

SHA512
1005be02de66300242f95713278d45ad37e74b132bb5c510e42f0d0016c33bb549e106bd4bde1fead57c6bc69dca0f4b6155f1d2adf4de709f9f418946b1e2da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
208KB

MD5
f52cd63e413c726e4aa2afe820b55606

SHA1
1366e1b3e311c627569f00f95e3b0e02dd724b31

SHA256
da20707575f2146dad9f44081638972501c1aea44799bc88450971693871861c

SHA512
cae82079f14a9c296228357c5229b5176be6c724c4c10c952c3ab03b46fa090a70a352f1c822309c4df2fb711ae45c17c7f3b089741782e315f8620d644002b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
181KB

MD5
3bf71457fe49d2b06684e595df53e555

SHA1
688f36eceb8bd5c6357553eab0bb076a0d04e839

SHA256
d42239314ca83eee780ff981a94e6d8ee4dcfd5a9e30ff064a740dfa767ee115

SHA512
a2c0ba3fbc912859eb92f68c7aff99c21930bd1fa862d08b8e07cfd96191fabaa9e7d3d1884abc5645892dd2ace59d9c6d65cd255d1604eb4ee8dd84f443540b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
204KB

MD5
bec868243017a5fa4fa8faf5039d6ea7

SHA1
38de02812b374ee131fadf3e8ba2aeb8b643fd7d

SHA256
d34188d0a919e06be8da877d6dbb727a37d3ec711d63442f87d985867d3720ee

SHA512
587033613799f787fc267c87bc882edd7a165bb3dbe232cfb7a8ad1bca44b247f4737c2e8f47a3811fdf9574edd6b256610007b0d83e687323033c2b46371307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
203KB

MD5
0e165c8ba07568815980c840b87e2637

SHA1
93aae3f19fa42f91a94052e86f78204ec12bd623

SHA256
c3c9d4f4cd9091081ca56eeec5d6bf1d8392fae9c59477be981f27e20668b570

SHA512
e36741613798bd539b5a1f922df7c0d99fc3a1eb8ed9927e4289196313aeae91d20fa12515ca28b5f198b24c78e7b3d2babb8fff1f4b081945e6d5a01042ce40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
192KB

MD5
3c8ce7a0fbaf5a2d6370a3e73cc84ee6

SHA1
5b90eff2c158ff0b4a6594f55201d2197aa40fd4

SHA256
1010a77d66670d746d2960071191ed2385cd59c5f310d6e0cab526c0f206e366

SHA512
8434950680cf52c3baf06d5f58efb2b173599a9b48a5c52eb92129bb6f9cef84fc73b85d8984e07cbfc2c95725a40a5a91eec6a62c38a1c9482db8ffea3a44af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
197KB

MD5
e0115a6b47d91c94ad5b21323fa06ffa

SHA1
a467305570f1442a334ab582c1e0cd6bb5ee4818

SHA256
943df8df2c53cb345bda4451e19a202a85bb227b589be39892983761277f1c6a

SHA512
f05b49436bdc61688731d8bdee891bcd3cf878196a0fa3ece0167457021235fca236daecb17dd30e5fbd3efba7e026e506a0e2341b494e33cee9c53a65788abe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
188KB

MD5
8d84fd7ee938b60bed7cbee7d07cc2e8

SHA1
96bd01f4142e28411643e6f68df53a92fd19ac48

SHA256
c10074e9ea028c48eba9296753982e2a990964f9cc5a03344b8fb7065bdf5fd3

SHA512
077fed8b8f6cb84aaf198b1772c7d8954749e564a6ccbc5fa938f22eb55575b40b17ed14188941b59d0989b7874dc35d3b2b3555b5459fb0be2643f409baad7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
195KB

MD5
5e4722a46437455dd9c0b9b401f89fa2

SHA1
64dafc2b3fe6bcb000d8009ccd374060a6cf7c5e

SHA256
6ac23e794f76c44181f7c39c6bc466c708620a838703bfea4ad7f737195998b1

SHA512
bde7aec00e9f9ffb7613cd0864da21e51af4693b5d70830ae97e3837a3e765983f9ab3282bc7b53dc6665caa9fb6e0a1b61b7ffdd468b0736d921d6a52e960cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
184KB

MD5
31f762c06153507fe9085f39f9201eaf

SHA1
2b4acf5e4ec0d0f6bfb1c88e23be48cc39240d74

SHA256
82abb9fae5b081449dedc10bfcef0cbdd6ecff6447352cdd96108ed6694fe9ea

SHA512
5e4df3c34ad698bd1f751b1e4b7ea4b7aff65d51cae587203bd15263da307344d3552c9359967fb6dd64fd117029dfcff54fa380071a4b13492905125b0d3fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
198KB

MD5
2dbf6fe6a78368ab038bf6f70b3a53bb

SHA1
aa76e27ff3a31bf26f768cd651023cf6d60e8c96

SHA256
7e2628bb396bc3567164750f3df224dfe7485e4a25c60679ce1e763691f96d11

SHA512
cbae96badf82ae518d3ce718d7d6398255a564adcb9546349c0537428bb9bd6b846adf38ad77718afa9f39f7eef1c347f17fe50aae2115a87bcc4dffc1386440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
201KB

MD5
dd773de498f7bbc35941e6e9f7aadcba

SHA1
d433e973bacdaef17fe124c267152d8accc38ee3

SHA256
0137547c2a0aa53f6c25fbf66f10e35ad5bf027c0e4b5bb7caef892bcd14a2e5

SHA512
fbfc54a7c4a94b9932ee0178afedd24d9ebcbd0e2a91fd28b2598f7062dc011b8575fada61afefeafa9664994acb9b3606238b51e3d099adc531f078032f8a44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
202KB

MD5
306d9ca91e80bea88aef8a5d2922821a

SHA1
f5d515a1f319e5d3025f951716b37b328fa9e010

SHA256
94023ca398c1839bddd8af0b549c25f47a9a0261d2a6dd419ceec3ee7be53970

SHA512
521b4aec5f41f7b7f90d7128789715fae20f3f0e93394c5dc88061672ec671cdd4032d18dcbfd5265eaaa6645a91e03576f110ce3c8e2dfa67ac60fc95033330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
210KB

MD5
b16016f620952941a0944920bc0519f8

SHA1
0e44b5eb9ae423db1e11e99a8e6380d0fad224fc

SHA256
d3d89b466a879cd58a6144db18e3b28e5e49921a419217998a2dfaf82db54f3e

SHA512
7cd3cff8e22af5089233b4711b037d48c83cf48488638206794fce22766c1bb3bec3137be311c23ce0b93211dcaeb6cac61d0c41d9cd2e25a75badbc29f81ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

Filesize
190KB

MD5
72d8f8442ac48a47375f2adf79ea7ec7

SHA1
690eb79d784cb2f778dceba7f96bcb09658f107e

SHA256
ebe46f1c81e2169e9f838e5883e44b75692469454c14dffac58738ba5900bb4f

SHA512
0a2b319516aee9134452225d5dfd45829623c34fbce4d9dba1950a535c3fb07d4eb916e46b31bfef7eaadaaf544b75fce0b4e22c06c16971517beedc2125225a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
188KB

MD5
4bae313dd11ece9790c9d032e1a186a7

SHA1
6ecba928ef853a31adcfa3c4272418d7bc72e904

SHA256
c9149d059b7c4ee1595573700729e39fc598b1d066e2adaeea3efe1cc9315b3d

SHA512
7ef71925dd01ae060078c27f508828fe95a44282871e6e6bbc1095e4ecf85db3083a76e9378d8e20a8c2ebfce4b0f286b20d789cd4b26bc9b28650330062568e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c406bdfc5271cf52e5b468a41b45c7b7

SHA1
2eb7d4ec546d6dbccfc1c7d2662bc4e5453e44d6

SHA256
e5c5a0af60987a54164f6a27327e604ec742a78d1daae043d35d62e6d49d0c85

SHA512
991c9e308ad89d3f70aa2b5ec49cde3ccfafd853421ff19c8b7b7721c0c72233566c79ae364b9ec5301214d65f6811e927aea21142fb1443d50e05d06734a3b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0001e328ec1507bd645b8a3e6875489a

SHA1
5dbb072cad834abd2ba62957c1abe041f0f4296e

SHA256
ffdf7feb70d53b9aae04dcacd4028b80fb143f4f23e2116634ae7908b6a9c6f5

SHA512
2d172f6d98b83a1c2b58c6d9db075f3a387349b26e05d4dc520b64cec9f05f650d0e3d4255d3fead73b4a8122a9a75b4bed90850a0ffce254d4e07536a4b34ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\128.png.exe

Filesize
201KB

MD5
409fe35c4c82c6ee01e91f5ab67d4e9e

SHA1
77854cc72126edcdb2bb2ea245f8d5f422978f2e

SHA256
64050d9c707c67a6d212e3f9d231e3df9a7255cece0ea5f60eebf996ab765ad2

SHA512
220970ef896e4755486ac2dd10d41fc23094b5379fa82e853fa79b416d793666af5396c832fbbdd8d96fae6bd63b85de0e91bb1094cca05ec9bd946102878109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
206KB

MD5
50713c3b87d270450c8b19b5a8b7a0c1

SHA1
fda8dbc8b5708ac0bf21c260a75877b977748e9f

SHA256
45ef1ff09e121070972e4077a99b5d316bbe54eaa16a698778229fb0f8fac9c9

SHA512
093620e7f07d7db050ae874ba201bb0f6a3e5ba239b5869a62df89cf0026daff4f74c07d2aa6baef8f8d3d415da77a50505e44ef9a238bc95560669066ffac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
204KB

MD5
718c340712af227992a74427e8f7efc1

SHA1
8fef1cd54a64d54437eb873f18356ca7db40b441

SHA256
26c0bf946388a5ee2d52a161c3723b15ec07d52a0bf6e4f9acd75728c2261fa3

SHA512
7fac845418d52c619749bd0ad7a212d310bb456df3b2d037b33be8a17565f1bf5fcca15ae1e835b2e63abb82e5e8b8816630c53925d35eb06551facf8d5fdaf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
554KB

MD5
03ffb33ee0e1e205ed549f3eeec16f82

SHA1
f0de5b5a84f36a56db436712aa0974e325af072f

SHA256
31a1323ea45552be24b9c6a80b530db40d48e4d5d6eb4909a6a00b32144057b0

SHA512
192952387b0054a7f2affa01c1a8700f60625daef6fdc4bf9261c957b87645b5f1628d806d6778464a4fa7a76f575ab2e934d10ecc48a29f481c23af8148fc79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
200KB

MD5
5a80194f55ccf23b2261ba78d01d5c62

SHA1
e639ed015c73cde9ff33a6dbb3a7b4bd5ab7b34a

SHA256
8837a891e738692ea4363d093956e4773b49b8cda1a5f9a291c72f4187b5348b

SHA512
4e49b47d33103692b75872d254f46f8e560dedca873d7c55c56ae7cf8a9b845eada97c1cf0e7fce6fe31b0512209c05425412b84e08ec3698a5baa29c79d47b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
209KB

MD5
7c5aa93f52f7ac92dfde5ee23a4aef6a

SHA1
f5737ada309dabf77b338c099b54ddd9bb317366

SHA256
240b10c2518e51692d487fe3eda0af9290042b17fbae39ccf1a840a0ceebd9e6

SHA512
c75d0c917d6864095e9b6a3d246b7f1739309b39f1966f7a7f05076b6a81014463be936134a5c8cc321955de3719a6195538880c2cc28affdcb8867a5a41cb8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
203KB

MD5
30c653c158e64036b0e5b021882f7e71

SHA1
c160caf4fd1b7394d23e961fe5a97efb6cea438c

SHA256
ec073386b73d93c878d74518900b85d6c92fac9170639b7602f584ca0b830bd7

SHA512
de0ca624957ac58ce4ed8c575320f0a9e9c34c1f73a38e70ccfb3a152b3f439e99cf25b3fae23a97a7bfbd42d50d051cea5c40511dc8c370b7d420391ab135a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
201KB

MD5
41f263946f2f3f46e16f08b5af70c7e6

SHA1
8e7561cb439507ba11ad0655860a171673ec4cdb

SHA256
3b34e9a9500b9654a35cb21e0e3a4eac37cdb029e58e39210971f8f5c0331c9c

SHA512
66dfebcf8876cdcc58f21b46201aec7bbdea627575ebb428815b12350f59424cfd78edeb9d23bcde5b904d6f0df92509e1c1b593f3d1ec3ac5c140d855ccbfb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
208KB

MD5
0f455f171e9d21eb2e45eba002819554

SHA1
fd67ffdaf7bd38cd14d6986a0fc33a2e3ff8ab04

SHA256
d84cbc4f74d1bec411addebd027b0effa10fcfe3c9f714d678b7666e79fbeb95

SHA512
66497d4d7896223cd494f83c76498670ef58de283de2c0b248021a75d149221efae13e1247259d5d30d49673889abaf90271d3bc7c42ea29de067ce65919efed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
190KB

MD5
cf739bed226cce0c469dd3db79178246

SHA1
1beb1f8b8e6c5d452bc1798115228a476bdd6938

SHA256
88fd9dcf73b1e9ebf60ca88539d62b6a47a2bb322ed7f789d09bb24c46e2fbfd

SHA512
62f8d33973070f7fb11f27ba62091f0774279287e4bd0281b12be44bf0b6bd18074a721bb664475b573914b1ed557c61fb356ab1fd433c9c1bdf903711bbe46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
202KB

MD5
e621fb9bc8f90a3e070172f47879b386

SHA1
744593d71087aae5855103c8ae2d2de33b2275b0

SHA256
6e8046cf759eae6aca6bcd0062c9c70c2c17aea64ecc041acef5e0913ec68a0a

SHA512
4988a33d615aa88d2353d652b2b994ad31460202ed717c3b606a845df59e8512b93b27aed6b096b85d892fbb1db561fdd45fe8f8298110700c50b3b27da8e00b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
184KB

MD5
8b5d7743b9343d47836a53db4f76cd77

SHA1
e662a174b1277a36064d4ada2b0742e11d2c2af5

SHA256
d5296f0365e4140336ce38d7bb878ce401d1435544463179be2f32119a04f4b9

SHA512
6a8a268cf94a88c55e723a0c8292beb4d79ebb19d2455917e4ed98d6336f081d0d60a83a1d8f1c7e76f15d3c7da5d7652eb950bab3fdf5f51272ce64d644d2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\joEcwogA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AwMcYMUA\skMYEgEo.exe

Filesize
185KB

MD5
d5429c048e6cdf592fe023ccfd15b335

SHA1
2626c14356bdb56b36a55bcf7715acb7a282bb5f

SHA256
161417de51f01474757720039981d1d93acf80e5a33abde5b7459900470b82c9

SHA512
a397507938398b533e5a100e4bcd3196e45335e246512143a6565cdf9105cfda82d7133061428d81ab5e757959a8f720b62fca3185a19742d165dd6b8cafaa01

Download Submit
C:\Users\Admin\Downloads\Hydra.zip

Filesize
11KB

MD5
357593a30fbf34ce95d7db2a5e71d90a

SHA1
153d3e93b95fecf22b9660660d376b0bde042140

SHA256
75f0265017e4c7d6df8a9087af92ca3e8f742a4b19ce5539e25f95316f925275

SHA512
8e96b7803d11b5a567361be18d24cff46c2e908202c067ac6f25b809589884abc327cecde7a46a0867a2b26888e9b2edce1466e20a5136272883bb60ac245cc1

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\PolyRansom.zip

Filesize
130KB

MD5
7a5ab2552c085f01a4d3c5f9d7718b99

SHA1
e148ca4cce695c19585b7815936f8e05be22eb77

SHA256
ed8d4bb55444595fabb8172ee24fa2707ab401324f6f4d6b30a3cf04a51212d4

SHA512
33a0fe5830e669d9fafbc6dbe1c8d1bd13730552fba5798530eeb652bb37dcbc614555187e2cfd055f3520e5265fc4b1409de88dccd4ba9fe1e12d3c793ef632

Download Submit
C:\Windows\SysWOW64\AAQa.exe

Filesize
493KB

MD5
dbcdf5824ef6882a201420cf6dd6d206

SHA1
f180f1d0b08e95138f96980223dc8cbe96f6b4a0

SHA256
d76c2b440a46373bf188cb304c5f3ff31c3e65221852fbb48d3e15276b2863e6

SHA512
57250b11ed96fc260031b123ba3f920031c62f097121d8df29bb74c21a2c48ee847e4d10bf434ed68b9dbe821c758ad12d4987582faba0ca04f0ed5ce8754908

Download Submit
C:\Windows\SysWOW64\AIkM.exe

Filesize
191KB

MD5
0feb82c9c2a4680864aedc4ae4514495

SHA1
b892ec0c7e1c474aba68dd5d471c4b87f9590bdb

SHA256
5935427ea17e68060658679ff38778bb9cbf5f2316635e36d917ee0646e44389

SHA512
10c79247e17fce8b8c049c1b450e6f17fd4056b7304fde3025b9b68ef59b1ceff943f6f54ae7e1ce237eead64e1fac87049cc30d065e5282d2c5a450aed9e818

Download Submit
C:\Windows\SysWOW64\AcUq.exe

Filesize
1.1MB

MD5
370bda0a9ef292321e061934afba8553

SHA1
a83cf253c838d62fbf524cb6f7ecea5be5937b0e

SHA256
3f2c89237d00dc77bf0745dc26ac96f78ff8bb695c270a023c85691355571412

SHA512
fa13ea389660f379f1776aba19f16f4e4b01c27c8efb3f7d4bf0e8580d26ad388e2293e1b7e8f5f0c127eee87654bdb0a0ce5fc078fb45fd93f8b2ca080d36dc

Download Submit
C:\Windows\SysWOW64\BcUm.exe

Filesize
638KB

MD5
56c247b513c9b4248a9c0823000023fd

SHA1
9ac3cb8cd2c8c05da8b2ad56ad4b0d6148ce0769

SHA256
575b2cadeb157c70a1cbdfb5d4195aeb7ccc87ee9da26f7cfacf49e6fb5899df

SHA512
cc7dca35805779fcfa7dbb12616c6c3934244e6114843226428b421dc75a89e7dafa64767233dd983864f04bb129f0b8752ed29f69c2609daa6f71510bfd9d10

Download Submit
C:\Windows\SysWOW64\Bgki.exe

Filesize
204KB

MD5
d9bb6d0cf20ba837cc235b13f177c212

SHA1
f57d0fa91ba4b9149600ea6dcddec1fde114b78a

SHA256
ad3e374d67d7b56fd6b21d81f8d5637801b42994d3bedefab4504b7e9d0e1173

SHA512
3a173416258725e655bb18811333a2673d1fda10280431378de96f35c8fe611e48b615f537d0ce9233dff6bdd6aefd804cc28f980ceaca5d4af6af30d77c5e89

Download Submit
C:\Windows\SysWOW64\BkQU.exe

Filesize
203KB

MD5
d0f55148a1621ba6e786e663c0675140

SHA1
35b6f4ad562cd443abc3efafa00b66a7e8e63b69

SHA256
a47aaf7964d811d055de716a9c6cbfacf550cf1dbfacb63100805ab3788f1f80

SHA512
a4f4391a74012c7cf8e672bc53fbdd3ace7e30e053259f3259e9cb67bc5f322aae2f0a6ec591dda036bff5d30d19abd16b4ddf7f1d43696bd433edbb8cbc1f30

Download Submit
C:\Windows\SysWOW64\DogO.exe

Filesize
635KB

MD5
623f8533ff029ed87e485943627f8da3

SHA1
162f09e8bcf69e8531abfc6196295fb4ac23958e

SHA256
ff132714463cf4a1ca8daefd5f3fc38c618919b8a74d7085732dfc538d61d612

SHA512
00a64982ab74831e4f2cfd23928dc7af630ebb4d1daa45fafbac22459ac1b75caf16e98d897bd154d76cdaab8b7729739d28ec98239c8bdfcece5098b7d124a4

Download Submit
C:\Windows\SysWOW64\Dooa.exe

Filesize
311KB

MD5
7fa61ef0617e511e5b338daf7901fb04

SHA1
386c68a5f5084797b538a264c204d08c1c985009

SHA256
0645ffd75604a5a5c8e9fe717f700eed7ca15596e3393eaf4b097d6c9c6e2162

SHA512
f88452aa24fca0d7878e24115b9fe6767249016223b3c7849bfc654faf59efd65d77fdad351d262f10dfddd48238ba4649e948f8ff85f89cb6f2bedb87055fee

Download Submit
C:\Windows\SysWOW64\EooM.exe

Filesize
197KB

MD5
32e6a1bd5f3709dec1be7d3dc9785da1

SHA1
e4195db46b6898e8788faadb3ae2e37e244ea312

SHA256
a9974ff8d7a2750c14fcf769f185a6bd95cdc50402570a1c79ce7a10f635285d

SHA512
04a1e70cf34c7d17d79826e2988335f15bbe47dbac8cf9a8d301950c964aeed5d8598110204feb15d774c4ffa603a2713821427966ce8c90fcd2f2eccad97a0f

Download Submit
C:\Windows\SysWOW64\FUYe.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Windows\SysWOW64\FoMA.exe

Filesize
812KB

MD5
456531ad8daee28be311171986f3933a

SHA1
867368606c4fc72b814e14d6da96a021e68e2430

SHA256
0334769723786955185e05428fdaaa5ba51922279d09808f5fe2fa831ab00b2f

SHA512
88ad3e1d495b3a02513fdf2b469e67ab679a5332eab69a39b94d6ba551b6fdab2c2d30648e9d35566e00fb94e51a22b7284ae6f9ac698335b1553abe6c3b3225

Download Submit
C:\Windows\SysWOW64\GwAM.exe

Filesize
792KB

MD5
2c3c20365d7f272da20975eaa88a48f8

SHA1
5311222b4673dfd2660599bb473163c23ce1daa9

SHA256
f4e1927883d4613255405c4c936eda99bf079e0af3b66fd525322c7eeffaeb76

SHA512
43b9261f93626cc7106fe4d14f4a3373f41cff8ed406805da1ca71c1f802c308600a06bfa841792d1d7d3979ad65ca956a8dd2999b622aa23e3fbfe349c5726c

Download Submit
C:\Windows\SysWOW64\IMcu.exe

Filesize
198KB

MD5
8c537d6c8985983db8693b046169a765

SHA1
08481eaab9bf4160f7bd9772fbb9344c81d5e659

SHA256
29b7722c1269440f48a1832ffcf8d42a19759f7e52d3b0400081d454a41a31dc

SHA512
393a7df7ed34db7d4fb0e49fe2bf1adcab28619098be5d265fa4bcf0e5676c4255a9c7daa718e441b305a3e1c61bccf59b85130b8239251332c0bc135ba98b1f

Download Submit
C:\Windows\SysWOW64\JEQs.exe

Filesize
192KB

MD5
00995b2e180bfa9579f3c12bdded7ca4

SHA1
2fd244d10bd43f0fa8aab14e9e8400e56d376508

SHA256
b7cd96138ffa0bcbb7ddcb2e5d420c7e6d3dcbb896fd28f3c1ea7f3cfd95f767

SHA512
c4ea3c9f1f6f35c2046cd1c5c6029cf49899c3d0c58d92ae13904bc2947bd50743e07d65bd4771fa54a5bd02f3c351e87f7eac7cfb0b11e5a3227e2f4c8857c9

Download Submit
C:\Windows\SysWOW64\JsUe.exe

Filesize
439KB

MD5
5e009019a045b9f09cf8005865823bb6

SHA1
cee7970e21ddd5d86bc3aa68629e00343f73054a

SHA256
447ae366825a89ec291bcf431cfd91dd23295075061fb364a0a67d997cafd3f0

SHA512
11efc930f6671202481cf373931804cb9037e29764b622beab7d6b582883ffe017c2d6b71b9e25ebaacb5f86299e12a5a4dc7bcb623d9d810a4923c40f01d84e

Download Submit
C:\Windows\SysWOW64\JwQm.exe

Filesize
198KB

MD5
41c4e7df874a61be719a0aa278c6e65f

SHA1
5f328b6ec53066edfaf342499889421a65065b99

SHA256
fa3c53ecff43c99b9a8707a82cec33b305ec970f18e32a0e2a5fe56d05c5672b

SHA512
8a5847edda6b6cff96556fc4ccee770436dbd23ab7d5774fe51a165ccd1c241dc105348981cc762ee4fe489258a897a11949b64a61fe4bfae5086d76447299cb

Download Submit
C:\Windows\SysWOW64\LskQ.exe

Filesize
216KB

MD5
7087713b8988fda49c50b1602530397d

SHA1
efd4537941fc927fdae1bbf336b506ede46ccde8

SHA256
a757c2a5648927b1d1f2e27177b923aa9d64244e1d5a8a69579cd3384b4f60c6

SHA512
90ef28d596af14d8419fa5e6c3dee147a7a1ace1b9a02cbd5f50b7cbe4dd1ef79824dc1477873980858a6673ff4f407cc48399663db887d455fe5cf48a8887bd

Download Submit
C:\Windows\SysWOW64\OUIE.exe

Filesize
314KB

MD5
47edddeb64c2b88464fd5bde25f8435b

SHA1
b2352203c7aa62453d7991b84ad275e12faea2e3

SHA256
445a0562c87774bd67fe20cb4d425a4148a1dea9fa6374d052823307ad73c757

SHA512
615e3b31b17027eb814c93e570d8f569e68622e040b6d19881f7b79c97d3fff0e61f1009d3c4be661c91c51ad2586d35ad5a5fd475363f347be8b99fb6a0f273

Download Submit
C:\Windows\SysWOW64\PUwS.exe

Filesize
229KB

MD5
7d9b59c1ceaab6c06f510d6ad0eabcce

SHA1
1121970a9a95f6bf4448ec6e9603c8bf2ebac72a

SHA256
eb55c3ba797d653bebceef7178b80d3d85f14c276615f1ca9a2fd8493a5a8687

SHA512
e4f6959046bb0451a64a2f096171fd33e38fec560eb369a906ca1c28b382e399701cfab4bd226e2732b9c5464a06b336c218c4423386e002cbd9a9c90316d2f6

Download Submit
C:\Windows\SysWOW64\QEYe.exe

Filesize
789KB

MD5
659a65c24acc1662d2cad586841092d7

SHA1
9035af48e6b0053c26ff207b2fbd8ac911765e78

SHA256
00a7b8e4ae030383b4b251f1287a03c59783a0963c5941ed1166307081dbfcba

SHA512
a58abb2c1ab0dfabbaafb8c83caa1716ecc1ffec99c4005c7287db9a35fe1ba60668fb31edb347535df464d69c46d49d5e7ffa26cc51e843098859de98d1a1f9

Download Submit
C:\Windows\SysWOW64\QUYe.exe

Filesize
5.9MB

MD5
167b2661cd09d1befead83308206a96a

SHA1
43bac50be219aa6e179b16d0f02dc991eb2201d6

SHA256
28ea25a444567f399e807f47d152eb54af47f5df4b58b9b68932f8446b07a19a

SHA512
e99dad99b4a9de01c86dda7f2e2954ee15cc82df527db313240eebca4e7548984e831fde618a150f32f0616636bb908d6a0c67d1cff15af4c1622b773833c38a

Download Submit
C:\Windows\SysWOW64\QscQ.exe

Filesize
185KB

MD5
4b175391fe6c423bf609adf560dc20aa

SHA1
aa347ddf825c8d0858d0086456f3ffac087cf46a

SHA256
fc229c962cc19c2ac7f421675956733409148ca29060cf92fb99a364cc52bf1c

SHA512
3efe5b6ee6f4b0f2c76648ff6463ddc6742a32b446fc3ca566fabcfabf66dc3dc272ba5e5c8ee50fe7c3853f611959f171aaa908eb7a20688a47b2686ff7eb6e

Download Submit
C:\Windows\SysWOW64\SkYm.exe

Filesize
187KB

MD5
4667f298c25205f77d07cba6eaefdf7c

SHA1
1ad4b8c3fb774f1f71e16c8a6a2fbf2ae95529e4

SHA256
3a4c66239a139710ef919d17eaddd366420eda2d9be450d788dbfdd62ca691c4

SHA512
7042d9ea688dda174de0e20f58510caa4b18c34c964a8f68658a4d135855607ef85059aceb222887af50df23a26cf5beeed6c610e7d38cf4c7df166e2371c727

Download Submit
C:\Windows\SysWOW64\TAsI.exe

Filesize
203KB

MD5
0adeb81f17d2f4d74990f6f3bd31673b

SHA1
d1e0c25e6a26533ea368eb57ce638474f912dbdd

SHA256
24d66cefb28b37ee6450d62e6ee5a3039e96a867985f0c67b530f4780a13ef14

SHA512
cf8841efcc914955c9338d6a8a38f620667eadd5bd94bfee8a005e963dbc882db0733be25f9eeb98e55276ea537cd2a95858fbb7ea2e1d31554e8d36e0de169e

Download Submit
C:\Windows\SysWOW64\TMUW.exe

Filesize
210KB

MD5
4d7ae339dc24c350836cd267b252eb4a

SHA1
b0de8cbb85ef4642c83170ef832f045b9ee0e14a

SHA256
20771526edf824bfd1175f2b75d750e831f68eabc8a659341e82a9993886ce86

SHA512
6da1d5be95ad2d988f327c335d893c6addceb33825295f5925af22127245f13c076b1293e79b16a943298517803d927a2b78ca35070be0a5ee3f24c4ba287297

Download Submit
C:\Windows\SysWOW64\TYgO.exe

Filesize
215KB

MD5
0d17bc603b11b5127700df3554266f3b

SHA1
aa1b841bfee5913698ca7b6848fdc81af7384e48

SHA256
79a1a6c48b6a960e57d2780e218ca40ed28f7417f40c4a6c75bf36c0cd3a9a07

SHA512
92c44be48c6fe359cb0aabeb83d39e93ae55ce2d230b86d6be99d3d231f0e79724ba8415c05e04b2963f6496fb43c80ce42f55e52c47b88980310431ec7cb931

Download Submit
C:\Windows\SysWOW64\TscG.exe

Filesize
1.1MB

MD5
b8915183baa90c296718cf4dfb2d4ae4

SHA1
61ab92942a63f7118c9327076a3837cd61c6d308

SHA256
37876a9feb0994ce99606463e03d836c5505591bf60ce810b7e92283f0559038

SHA512
0cb4214ecfc477fe6e1ac859e512cd2197eec0a98cfa542177ff953a9c6e5ddad0a188573900f5a13846aa6e756c7c16dbd16bbfcec0387751659d0cbc3f9ecc

Download Submit
C:\Windows\SysWOW64\UMgy.exe

Filesize
295KB

MD5
698c010ebd7baee748a96ab66c95932b

SHA1
e0f3a752b57e48ae1077f1b95470340e87df91f6

SHA256
e4bd7aba1b91427b2896265a77b50d34a4d8f8edee314f0fbbb79fd560a135ef

SHA512
f9a69fe9db058091bf94f80dca8bb08d61016507bca6edda564db52b07446ac2e512b376d75d4378b308199bad0b10a2a3640dd98f9fd551dc7bbbc83f8749aa

Download Submit
C:\Windows\SysWOW64\UcIM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Windows\SysWOW64\XAYk.exe

Filesize
425KB

MD5
a117f49cd93fb37f262eb8121afd9706

SHA1
638c230b0031af1f34283221b3f51f078a2df96e

SHA256
911d5a3f60c50513cd9c3d56ad461adf52d8e84570542642545d030b81352571

SHA512
1756a5bf11c8c8b307be52b27febe3eb132090fc9a8a8df17205054f80c1356722ac7f5c4a812095d22ff12e32e46b6bd2ec070b987119ca65eeac6f7ad08e6e

Download Submit
C:\Windows\SysWOW64\Xcwq.exe

Filesize
204KB

MD5
b42085b0d20f2ecc44358e5695184cf0

SHA1
92d5e5ffa95fdcc96fbb88751f266e0723259fbe

SHA256
91436fba197701d34ecba87d183f16786ce17214a211b1e3f6918e9977cd73e1

SHA512
29fba5697eba0a1fcb7f80224dd5c1257d40b35760b2fb39bca7b6ff25485b0bc89e056b3b567908820c135e53aab8114f18e6594e228846381990674f4b3bff

Download Submit
C:\Windows\SysWOW64\XswI.exe

Filesize
360KB

MD5
99deab992ebc8cd98d2ea0342c1ed84b

SHA1
8e0938e3018c112c820d651cab6f3bc1a811aa9f

SHA256
c3a49167664a919d736d441242e3c9f23479125dcceadcfbfae0645445dcaa6d

SHA512
df2d91ecf1ad9b54710bcb82d4eb2fbd042182a5234de0ab818d03de1f2317d6071a4806549d0b9b6b74abd2c0d58de4d095e13fa18a21186adb54a8c53ddaae

Download Submit
C:\Windows\SysWOW64\YMAs.exe

Filesize
355KB

MD5
01fe189bcd1f6efcd1d2a190f0957a4d

SHA1
d7e146977acbc9d668f1d2c97644f8e6a9f806b9

SHA256
b4cd604e123e9f9b37ffa1fa09a2f69b6368596f203cd67013cc9a7b8c3c9f04

SHA512
96ae789294edc490647fc1f1413e9fa97ca802e2ae1666ac744f60d7a902fa03f8198a83abe30ba8e9c5206406ec520484c731a5c338f0947da69e52bc6d2a86

Download Submit
C:\Windows\SysWOW64\YUEY.exe

Filesize
330KB

MD5
6241a8ffda7ed9d15aa9161cccae6491

SHA1
9983778227b218600cd274302c2c32b4ee1f4f64

SHA256
b2c5070a5db77a6b3c78dab7e446a8646113fc1f6ae149868da490ca982a2fd8

SHA512
f91e2df49f360474445208beeae90faad2ba6cc817aa3bcc28505636c546c4c1890f5219320fe52b5b12db1c28098a48a2e80965e156b3d02878170838002b2f

Download Submit
C:\Windows\SysWOW64\aEUO.exe

Filesize
622KB

MD5
e6b4c4d64927cb60209a8eff8f2ec1bc

SHA1
6c34509954585d8c3fcbe65ab40e681cbf2612d2

SHA256
b96cf99cf3e99b36831a1d1a9ac18d81d19c05f55efc683397ee98f9a48209f1

SHA512
5d4ca96ea7c0dcf86c91fb3736576670c490caa0f3287f7e5082492a6fa31dc8e42458f12b9c3699e48b4491a0a96358644b41b06920927ce70ac0a2cc812081

Download Submit
C:\Windows\SysWOW64\bkgO.exe

Filesize
1.7MB

MD5
0e602800d8ea31395de27f99777f6a20

SHA1
3a3db2a6d1242c82ccf349039b6d858fbef4eff7

SHA256
7f2f51b68e0b884e3270519a65992262d7e35f853a1ab96de4d67e737067afe3

SHA512
fd55c510dc76554c2ebcd64e8a111d2536001078671948918f9e0069d5278fbfda6143f9a8c650bc196e00e3db647c3b18e1374ea790f5df8861e9581907d729

Download Submit
C:\Windows\SysWOW64\bsYU.exe

Filesize
5.9MB

MD5
d2438cfd3f0cd0cd1ed2b9e2615add19

SHA1
cbaa4eb1bfc0c632c0ab506a7deeaa34992cbd87

SHA256
19cd8fe4b13ba3f936832aff090afc0af7b657335d1745fcc3cf9b853c879ce5

SHA512
0c9e9199176415cf27e95ba7f79dad72c36949ff7a0e3d219caddd31e22f9bfee0e2cfb4c5675c9344d2857d43ae394995fecdfa6fbe673896cd03118d689722

Download Submit
C:\Windows\SysWOW64\cIka.exe

Filesize
196KB

MD5
089f14375d99fb7824ba94de86fe0348

SHA1
cf398c793c0d2fe849bf83cc3867655cde487974

SHA256
8d888c9666659f2f3171ddf02f1deddea9dc2fd4428f92b74ffd0a62edb5a039

SHA512
53c923e58314ac8d1e89cb24362f6eb9876c6f8b25a9eede991a03508890e33a079016a46b6746892624b005c1216ff6e224d6dce21cab119f00fa5d65f6de08

Download Submit
C:\Windows\SysWOW64\ccgA.exe

Filesize
189KB

MD5
e851c72cc0891f64a9bd910ee385e84a

SHA1
3380d44382e2de619f49e5386095e414b545237f

SHA256
be5e444283ec70df04a656582a0555e2eb2c2f87bcee970b49c42d65f8d5e0cf

SHA512
7d48f1b9a9711c0cf2f318e5e7b4dad36970386055966621de6cd718919a0e952d561f06b043435397cc0ccabd789ab01d7275d17065b14d2a222c880de2336c

Download Submit
C:\Windows\SysWOW64\ewEi.exe

Filesize
210KB

MD5
9aa65d9b45ef4ee133f14a1b6921ccdf

SHA1
1b5a89a01e7b46369fe06770df5aa11bd6a5317e

SHA256
ea7acbc1091f2cada2a9e9668f4e670f5eae64afacee5376b44d076f1d98a4e5

SHA512
bb02bcfbb381ca8faa39c48857d07f14cda169e554b574bb95a77d4cd9363b546237e4a1a16313043499da6115a6acbd422f9e3a420800b329b77c1a4403f51b

Download Submit
C:\Windows\SysWOW64\fwIm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Windows\SysWOW64\gQMq.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Windows\SysWOW64\gYcW.exe

Filesize
589KB

MD5
c859f63125c0d3096114dc39a938e854

SHA1
95861aeabd27a7a1e5ec8f0cf154c19a1335468c

SHA256
75e8468e6de90f7a51d3a461f37251cf991807ed338deb8b8fb9084f121802e1

SHA512
df070fc8e4f28e490027dde6e82d24f59407858d7060c68a1c552a7b4fb7dde4d9107168d76be74854c66e3f2c657b7c95302ecb9cf7302af7c8a36b0abf2667

Download Submit
C:\Windows\SysWOW64\hQAe.exe

Filesize
220KB

MD5
260422949adee4d8e6dcde43de06218d

SHA1
dfa89280ec712605e512a03dc8a7c63787e9eb4b

SHA256
b233ccc36bb0e05847cab9e9d38268d645f1ff1a598037e6ed73f6475b6ac9bb

SHA512
0512d1d6c96a56cf603dc26a5dccb63c5ddaf41709de98a7b542c38ec188ac0d7d1286c95ddd38d3541ebac9a18c396ec7305cdafef5c0115bcb72c234644eaa

Download Submit
C:\Windows\SysWOW64\iUgG.exe

Filesize
188KB

MD5
9e6b8fdc232615fda58f615f5b29138c

SHA1
cf28f5ad71bc98b2c9e09b4a2b54b855bab75c18

SHA256
5f32a1bc69527798bd7f00835e7aaacb832e015848faa5bb5c1be0438964c3b8

SHA512
1d4500b191dc2f10b9d14b3f6547d5b5ad8fd4d4ed99be6341350e65cfbb4121519702ef39403e1db50d90bf50b39771ee0a5c8d3e74caed74134b7db00c8784

Download Submit
C:\Windows\SysWOW64\ikUK.exe

Filesize
369KB

MD5
7177b83bcd318c23fcd3f4f0ccae6208

SHA1
e40323c1b56771bf4e3a2d2e3bdcb8ee6c6c0abc

SHA256
27bedd91845b31a4c52f0b9117d7b3cb6bdd72c0a4663625a8266c35cd04fdbd

SHA512
7aa4e59e4f345e4aa23b25b5978c802204c6d58c656cbaab9145f6585d56608de34988eb7e75ee53fa0660884532a1d72b045c33da2ac41e1b90c20941e8d950

Download Submit
C:\Windows\SysWOW64\kYgw.exe

Filesize
207KB

MD5
ab9efc98b164294ead31324cf488317a

SHA1
d9a7c24cd2a2f66e51d2ebea085612b5b776df9b

SHA256
5a6a87ac1efeda6cdc3df4f8b68f16c67f6645503beb846abd6a965359451b8a

SHA512
eee6d498c2cd705d7ee062e268c1dd760d4dd5a839d66731b72157a35e2bb13e2b2c2afa484269db4ce9d4f1ab603075ea7708749c28f641eedee3bee5b14379

Download Submit
C:\Windows\SysWOW64\koYk.exe

Filesize
641KB

MD5
5cca5097ec916473614b42bc27cd89de

SHA1
2501b1bf916d0ef768aec0f94b8013a1045e7021

SHA256
ed955600fa507c363b8541a0993a268b5ec6ea392066e16d23bf93d090097987

SHA512
1eaa0ea0a9779479697392d76e55699b21940e44bf75c521c11478eb5dca860d8665cfe29ed53a9f120182a07bed93297dc5bf24105e6f1b3dea8f0c64d05157

Download Submit
C:\Windows\SysWOW64\logs.exe

Filesize
198KB

MD5
21c42058775cbebffb3bbbc3ca8a3cad

SHA1
be8a030ac5a8a311d6d093ad953eb1525b9ba160

SHA256
702c5d7af7bf1ee6253354d21b4befa3882449da8a4e25280bd30e941fedb0fa

SHA512
60fae05054537bf1249b0bd89e9ce222701e6e05ddfee1f229e21f37e429c3c0a27a86a1f3cfd03684540a01c1d475d718c24d2a243402413eb9d98a0b961d48

Download Submit
C:\Windows\SysWOW64\lsgS.exe

Filesize
5.9MB

MD5
7fc848d3ff056b0184665551398f4cca

SHA1
b2ad3f110c7bc5fedbebad61c62515400aac98c2

SHA256
574f6b390d1f778f48b27fff968ee100f885f0a6fd3e49cfe156ff8793df0785

SHA512
0aad0e0e6501428b50d6096f9cabcbfbcea1fe72ed8fdaed3692e1015ec9d4c5aac210d483e1ace33f7f805e86d551ac738684acf464e3028d2b080d52c5e16d

Download Submit
C:\Windows\SysWOW64\ocUY.exe

Filesize
634KB

MD5
4bfff7aeec6f10b507e05e8ad76f2709

SHA1
58844194c1809948eb2d2d722c9cfc3afb0cec22

SHA256
5c1355842b4a8ef3e58aa54186945974496143f8768fcd46d61bce4962ad3824

SHA512
7b06a94c01ab0016945b3ab6a3164a787fa74bd96320c5638e7027a7b2f98b155a639212a3ef97b48d99a02a3a8eb3b6c3cef3f959a89f1231b22b95cab8372b

Download Submit
C:\Windows\SysWOW64\pQYU.exe

Filesize
408KB

MD5
78c9b43424bd509db4aa7a8324dc54de

SHA1
31de5397c035d886917bfcf93dea0f47c0567976

SHA256
c2479c132c6e30d789fc72a564f6368fca9fe7b9cfa1701ec2b0b6d7031fc1e4

SHA512
2be07ecd9a3e1d3215f1cec224fadae4e52457ee06516ea98cf40e11affb024b83b4e80c7370d6c39dd7155ac9f34d51d3037758d00bbb4e0318a9a10300c10f

Download Submit
C:\Windows\SysWOW64\qEYc.exe

Filesize
639KB

MD5
e778ce7992726d92803c4f376f3d47e3

SHA1
c9728fce14a58ad0820671f4aadb55cc5639034a

SHA256
7dd043a0df7155d4b57dc8803378a1c7d2b07e34ce65efcda95c2fb5188c8a43

SHA512
20f7d9e12b3685396b2658f585b63e5d104d03337ef96990e70c0b0056af9f89e15209331048603443673fd9dbf2bc730c7a87e3bf42b16c591f3e50eec84cf9

Download Submit
C:\Windows\SysWOW64\qsQG.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Windows\SysWOW64\qwMm.exe

Filesize
192KB

MD5
5a85c71976154196a672b31d310e6a39

SHA1
f2ea8a8e5ce2aef8abc85503b2ffefb647ef3d41

SHA256
bbe697861f29b5c141a073e087c2a2f12e2f0431edf4941817dc80d933060e07

SHA512
8e685bf044567e9897584280a4a4f9203bda03043ebeacc0f8c986e70df9042824e82ea91373c2bd7d59eeed6c15374de7918468f7d2a7d543256a803bfc46b6

Download Submit
C:\Windows\SysWOW64\rgII.exe

Filesize
192KB

MD5
3ae103bcf60855fcf11ce03f73df3a54

SHA1
0f053e40aa2aecd24d0d3223dc2de07d33821bb6

SHA256
f4f1ec32c32a6d54de87fd86b607a7de4f5edb2ea1e21bf2f9d1bcd25d4063e8

SHA512
f3ff42c4046d1fffa99093debca8cf0855c7e8b8608e3258ba815706784a397ec0e1c09242a0fce65d850388046722d90aba4dbbd1c5067afe6f2e0203e46e90

Download Submit
C:\Windows\SysWOW64\sEEY.exe

Filesize
1.5MB

MD5
2d86419061fea5dbb920acf308ab698d

SHA1
24ba47b2040cf5ed043b103dff3ea823ed099c4f

SHA256
20fdf5ae1fbc2e589106f419febb9a0ece9c594747108d89d9557ca9c2a71d21

SHA512
365b3a7f8430a210a99b89dbb2028c00068bff330e169ba3da05f68462e459d46db531f925f9cb96a786e498bbeb1670bccc783230e87623156f204fdf9614bf

Download Submit
C:\Windows\SysWOW64\sUIW.exe

Filesize
200KB

MD5
463483555a5197d47e5352146ff7dab3

SHA1
234c7c0e54bf374c93c5af89e4d48c9eb0ecc40d

SHA256
7256e63c465bab284eca8470a852eedd620f8f517000c314a2ca202feba8b233

SHA512
0c04ce7aa54bdff8f6316ea3df36869ce0d5184bcf70ce2844befc4a7e87ac0c79ebddd7d76ef009fcf14f73523963a142ffd534a2e0386cd4afe99aa6628f61

Download Submit
C:\Windows\SysWOW64\sUsk.exe

Filesize
468KB

MD5
04ff2e5f467af1e3e03c83b1ab465dc3

SHA1
67c68db686a20f8132c902ce83c0ba9ca2749317

SHA256
f81eadcda6f8fa7553eab7f6ff94a72ec6e60c0d4b0ca77ea81189ba861d78e8

SHA512
f1b2a57ae789d4482bcf3a3a0f8f2698dd675293e14a4f811fca760025b3d345d9628af176874592469d00b5db3b8bae46ff771bf87e717f5875ef2448747aec

Download Submit
C:\Windows\SysWOW64\sgQQ.exe

Filesize
212KB

MD5
15be65ca2cb375829d5e61f732bc04a2

SHA1
f45c3cc0c752b1d4a3559b381ec669621b430156

SHA256
a8ed583bbb16986cc1c0fbb75cf2739a5e4b86255166f06a5c7223ad1395ec06

SHA512
614f74f36a4bd59f64bd22273d6647a40aca3954a5502d1a70d8c9df2bd7dc599a5905cd837f08ef494b32f8fcdce2c8f52be391b63e021cd595633b661188a9

Download Submit
C:\Windows\SysWOW64\tMsK.exe

Filesize
316KB

MD5
44e883e6f52187debb611d4a9ee97530

SHA1
2d4439cb50537e3f3acfb479f167b790fbd7e66f

SHA256
668359e65b8828f1d3d45635fb6ffc8923a2831f74543243824429ca483642c3

SHA512
17f22a57b12f6286a662279205f95bf01292af8e4af841dc7434c7d9a0473974797bcbaa28fdb989c55062ff732e43a9996ae47d96c4d29b8588d2434446a73b

Download Submit
C:\Windows\SysWOW64\tcQq.exe

Filesize
208KB

MD5
ad3daa431c11ff87f56a1c577f5d9e30

SHA1
a2f27a9eea3699f862aca7b189b0c7295fe44f73

SHA256
c3fb15f3b82aebb5b16ac1c71ae79cbb0df72e0a10e251da0af9209ff9b3331a

SHA512
cc123a990c825ba1590565a74ab907997b5b485b850865ff452dcc448232f4222478b6b468fac28b82dd22024a594223c701e417e374ca2b12bc37dfc6aab1cb

Download Submit
C:\Windows\SysWOW64\uwMe.exe

Filesize
307KB

MD5
47a89ac937d9a7a6b9115ce8ea768877

SHA1
4a8c4a10e090d714858a08ecd22c3b67830091c1

SHA256
eec16a5778ced782fd65b7da83699f95b72a737b5664b74daad17ca0ad8561bd

SHA512
3d4bb083bc259017110daa776e69f7b2e0920c8bd8cebc4be46880ea821aa969571539aea67142bb03ecccc1616fd7da056ba5ba8c5d726963b9a720f344de9a

Download Submit
C:\Windows\SysWOW64\vAwe.exe

Filesize
228KB

MD5
a1dd8fa13f3559c4004d4c2ba77d2eaf

SHA1
b83a7f848d6a6d2acfbfe3dc91d66e9647282798

SHA256
7fba6d3cadbde6c2afd50ecb095abce2c160263cc74839db06e498b6b978c913

SHA512
ab93aa32f996a073f8b1f12063bb304dead47e4bd59ce43a851c11f1090450a3cc801751aed5bf6b6251e55f4d7e54c483879f043b8183461edd6696367165ac

Download Submit
C:\Windows\SysWOW64\vsIQ.exe

Filesize
201KB

MD5
00977dbb8f2f9bb351a845a231baaeac

SHA1
b6aade6cc87ea7f0e3819d10a4a6fd0c7bff3821

SHA256
5e95701c7eb1a56edbb66808bb5b00b3f3c6a638568864d7f760aa569a46c2d7

SHA512
e61da60ed87733dda69f2dcd0b4dd396f4d886025c6da80d8678b9468c305bc006dd67da13775b79412125f2665898301b6e4bfd940a23dedf3eab4e81a3c295

Download Submit
C:\Windows\SysWOW64\wAkK.exe

Filesize
200KB

MD5
6f9b5c4e357aa614b456ac79418a65c6

SHA1
cf3ba3db8c7a5974563f033890c96e5971bfc2fd

SHA256
04f3657121cf7ead4823147834b6e723c166234763acd74be8e04fa9ba74943c

SHA512
4abf2dfeafdbda0f9509e191a2f448077532878aa7eba42e8b3a2522fdf71ac0a39eedb83f582405689f3cfb8ea9b931c2d912284e938875b83133604cbb3684

Download Submit
C:\Windows\SysWOW64\woAW.exe

Filesize
203KB

MD5
6f8692e3582088fd789ee830b6fe6b95

SHA1
ea22a2e3e406ef430f85bff8eaa2ee3033b9740a

SHA256
26f9e59c40803a76e777f10689caa2be3b971c0755afe92188b6d7e5f04f6a9c

SHA512
53283cb69507040a74db18d9c934ce0c0132a8be34090f1ec0fd55c491adc5645053cca42a3c9959daffdce6c0f3afd5378ce4f9e568cff59de3cc829870ed22

Download Submit
C:\Windows\SysWOW64\wwwg.exe

Filesize
187KB

MD5
eb9409cf7449d6ab61ce0c5bb27d684b

SHA1
2b92d60ca36b8a2db799f88f8d5282934e19c74f

SHA256
86175dc7c041ebbf6fe2a651dc9bf3559df3e15d8a8c1c4946848d94a145b5e5

SHA512
3f7a09702e2b46d2d46fd892280da94b57061b75b6a012a1d144dd49460c358470561d6051661781e1ebc2518d86686d8bcf056c3781a59738d78549774cf515

Download Submit
C:\Windows\SysWOW64\xAoI.exe

Filesize
189KB

MD5
0c92b718fffcefdb3aed67985f3d5ecf

SHA1
8ffb60e56b8345ad8f69a66386d8ecfb4cacf125

SHA256
3fddae8c5d1c425bb75d3a92ffd5a640688977f63d9b1bc672c20589e5dd5d23

SHA512
9b0565ce4d2c6bcae909c556aba0013fc2f0a8b3f685564606865cd6d239f69b6dc30f2c5d6acdcbcb16d183c32a6ab31c772e9f507bbd7e1725a3b5c1bc09a7

Download Submit
C:\Windows\SysWOW64\xMYG.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Windows\SysWOW64\xQoA.exe

Filesize
186KB

MD5
ca13932900efdba443e0ebb45d36b9a5

SHA1
b56b1cd09b29fde98946c3e13f77f35a6a16ace3

SHA256
152482768662462ebb4a232b7ebb22c3b6d0178363637294d9f02e629f16babe

SHA512
2a4b78c94c016f3112fd64191479319cfabd3e7f34ddb7c0d14bd9c26f55f0748899ca7c5983ad1f247a586e795fecbd2d06836d5d9fb70df83d6c2dbde362e6

Download Submit
C:\Windows\SysWOW64\ykQM.exe

Filesize
245KB

MD5
c365788b949376a3dd7c11c9bf8c18bc

SHA1
fe7be2f77571cc4170bb3d9e1db7fb225b95ffc6

SHA256
74e5a6e1a8cb25b3e948e42bda00810539914c598c4cd4b3e2aeb6c3f4674501

SHA512
a09edd3e9a04ec937c65165d967e6a83e568f96d073a3d5d0213ae4c809bf091967c56b5bea292f686154e94966747a2d87efacd193971c8fea0eca4ac91b93e

Download Submit
C:\Windows\SysWOW64\ysEW.exe

Filesize
438KB

MD5
72de7f47c6cdbfdefbae66460a07751a

SHA1
49ec369d5cc02e46a4f96335a0cc93c266b8b793

SHA256
7cbeb96699303f9e52bcb2e2e3a5ac5e76a1187e814e7ef2b570ea8c20e7be12

SHA512
4b62af7ab2c495316d2027b15727ab3861d83020037af5acff52bdfe694581d5d790c8153d67fdddf4570338fd56ef0a857d2daa8b29b76bca9b76f357c69dd7

Download Submit
C:\Windows\SysWOW64\zIYQ.exe

Filesize
226KB

MD5
0894487c6d1af0f2fa72ff5b31c7e340

SHA1
96c813b1a20cbb044ea75540f0221ed61bf01648

SHA256
074eb146b385ee77b9a01ee588019a8beb5c96f105f2e2417e767c31cd74a23d

SHA512
04759f57f171011afa0d4632ff8640e0732cb8f1fef31bb6fcefe4e02edf86f03779563b944cb2707d64f9c87d3ddb5d9566174566629273ad109fb0e55e608e

Download Submit
C:\Windows\SysWOW64\zkAY.exe

Filesize
188KB

MD5
671f68a1b21721925d34450bf6578940

SHA1
3b9e75f43b4a2664c252581a71df86af5e9ca791

SHA256
454073260df631d6fd86f9751cb3c9ad782ee8b7fa092484a79bdcce09e2d2c2

SHA512
ecc9a2557601e0ffdd2a6705cf584f2cfd7345a02d0e96488acbc9946a96159b6ba1520f231af7a054acb029f8081ec873b3832f6d5984b6afda50dcb5224a4b

Download Submit
memory/180-686-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/180-700-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/228-435-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/404-743-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/404-754-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-843-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/532-872-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/804-773-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/804-750-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-636-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-628-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-742-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-644-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1364-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1364-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1368-762-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1760-627-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-936-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-537-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-782-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-768-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2532-682-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2864-796-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2864-809-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-616-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-913-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3092-959-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3240-945-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-885-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3600-825-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-691-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-673-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4004-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4004-572-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4004-584-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-858-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-558-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-573-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4164-649-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4164-666-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4236-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4236-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4260-609-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4280-354-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4280-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-340-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4412-826-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-289-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-253-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-287-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-1186-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-308-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-267-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-749-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-2804-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-252-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-249-0x00000000023E0000-0x00000000024AE000-memory.dmp

Filesize
824KB

Download
memory/4516-255-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-1876-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-355-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-2728-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-2773-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-268-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-250-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-251-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4804-960-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5020-547-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-915-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-931-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5036-800-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-577-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-591-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5248-654-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5248-672-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5476-350-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5560-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5560-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5572-727-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5572-876-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5572-833-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5604-557-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5604-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5604-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5604-568-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5628-501-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5628-515-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5712-795-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5712-774-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5768-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5768-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5812-738-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5812-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5812-719-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5836-592-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5836-601-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5852-893-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5928-716-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5952-527-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5992-655-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5992-640-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6036-460-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6036-854-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6056-971-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6092-555-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6100-918-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6104-707-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6104-692-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6104-976-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download