badrabbit | hxxp://google[.]com

Resubmissions

25-09-2024 06:43

240925-hg3jea1bjr 10

25-09-2024 06:38

240925-hehffszhrl 10

25-09-2024 06:33

240925-ha9zxazglk 6

Analysis

max time kernel
966s
max time network
969s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

badrabbit cryptolocker mimikatz defense_evasion discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000200000002ac43-1248.dat	mimikatz

Blocklisted process makes network request 28 IoCs

flow	pid	Process
704	5676	rundll32.exe
752	5676	rundll32.exe
799	5676	rundll32.exe
847	5676	rundll32.exe
892	5676	rundll32.exe
912	5676	rundll32.exe
958	5676	rundll32.exe
1008	5676	rundll32.exe
1058	5676	rundll32.exe
1098	5676	rundll32.exe
1120	5676	rundll32.exe
1167	5676	rundll32.exe
1215	5676	rundll32.exe
1265	5676	rundll32.exe
1288	5676	rundll32.exe
1326	5676	rundll32.exe
1375	5676	rundll32.exe
1423	5676	rundll32.exe
1487	5676	rundll32.exe
1530	5676	rundll32.exe
1590	5676	rundll32.exe
1656	5676	rundll32.exe
1724	5676	rundll32.exe
1778	5676	rundll32.exe
1816	5676	rundll32.exe
1880	5676	rundll32.exe
1948	5676	rundll32.exe
2018	5676	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
3940	BadRabbit.exe
5932	D52D.tmp
1452	BadRabbit.exe
2332	BadRabbit.exe
5280	BadRabbit.exe
1528	CryptoLocker.exe
5900	{34184A33-0407-212E-3320-09040709E2C2}.exe
6028	{34184A33-0407-212E-3320-09040709E2C2}.exe
3464	BadRabbit.exe
5692	PolyRansom.exe
5700	mcYwYQYs.exe
5708	BckwkQkk.exe
4188	PolyRansom.exe
3004	PolyRansom.exe
1424	PolyRansom.exe
5696	PolyRansom.exe
4188	PolyRansom.exe
1192	PolyRansom.exe
4900	PolyRansom.exe
5356	PolyRansom.exe
3096	PolyRansom.exe
5940	PolyRansom.exe
3768	PolyRansom.exe
2724	PolyRansom.exe
5748	PolyRansom.exe
200	PolyRansom.exe
700	PolyRansom.exe
476	PolyRansom.exe
1092	PolyRansom.exe
5972	PolyRansom.exe
4396	PolyRansom.exe
3464	PolyRansom.exe
1492	PolyRansom.exe
5564	PolyRansom.exe
5152	PolyRansom.exe
5492	PolyRansom.exe
3108	PolyRansom.exe
752	PolyRansom.exe
5492	PolyRansom.exe
3244	PolyRansom.exe
1152	PolyRansom.exe
2580	PolyRansom.exe
3356	PolyRansom.exe
5564	PolyRansom.exe
1936	PolyRansom.exe
1652	PolyRansom.exe
6008	PolyRansom.exe
1788	PolyRansom.exe
5272	PolyRansom.exe
2236	PolyRansom.exe
5360	PolyRansom.exe
1960	PolyRansom.exe
5444	PolyRansom.exe
5628	PolyRansom.exe
5804	PolyRansom.exe
2916	PolyRansom.exe
3068	PolyRansom.exe
2084	PolyRansom.exe
1944	PolyRansom.exe
1152	PolyRansom.exe
3108	PolyRansom.exe
3304	PolyRansom.exe
1192	PolyRansom.exe
3464	PolyRansom.exe

Loads dropped DLL 6 IoCs

pid	Process
5676	rundll32.exe
2276	rundll32.exe
2116	rundll32.exe
5364	rundll32.exe
3468	rundll32.exe
4240	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BckwkQkk.exe = "C:\\ProgramData\\DQAUQEAM\\BckwkQkk.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcYwYQYs.exe = "C:\\Users\\Admin\\oekYcMIg\\mcYwYQYs.exe"	mcYwYQYs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BckwkQkk.exe = "C:\\ProgramData\\DQAUQEAM\\BckwkQkk.exe"	BckwkQkk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcYwYQYs.exe = "C:\\Users\\Admin\\oekYcMIg\\mcYwYQYs.exe"	PolyRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
99	raw.githubusercontent.com
121	raw.githubusercontent.com
137	raw.githubusercontent.com
344	raw.githubusercontent.com

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\D52D.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31133479"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2364950647"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717202214700903"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1735401866-3802634615-1355934272-1000\{5F854DDB-A2E4-46EB-807A-DAAB3576CC4E}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5484	reg.exe
6008	reg.exe
4436	reg.exe
1084	reg.exe
4416	reg.exe
5640	reg.exe
5276	reg.exe
4948	reg.exe
5308	reg.exe
1572	reg.exe
2328	reg.exe
2360	reg.exe
5600	reg.exe
5224	reg.exe
5600	reg.exe
4396	reg.exe
5660	reg.exe
2792	reg.exe
3084	reg.exe
1420	reg.exe
400	reg.exe
5016	reg.exe
752	reg.exe
776	reg.exe
1860	reg.exe
452	reg.exe
3464	reg.exe
5564	reg.exe
3372	reg.exe
1108	reg.exe
3992	reg.exe
2108	reg.exe
1960	reg.exe
1108	reg.exe
224	reg.exe
3048	reg.exe
5192	reg.exe
2600	reg.exe
1604	reg.exe
2944	reg.exe
776	reg.exe
5236	reg.exe
5960	reg.exe
4988	reg.exe
6076	reg.exe
1896	reg.exe
5976	reg.exe
4952	reg.exe
412	reg.exe
3356	reg.exe
5836	reg.exe
5600	reg.exe
5376	reg.exe
1496	reg.exe
5248	reg.exe
2236	reg.exe
5600	reg.exe
2944	reg.exe
5216	reg.exe
5532	reg.exe
3356	reg.exe
904	reg.exe
904	reg.exe
5748	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5824	schtasks.exe
6032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
5676	rundll32.exe
5676	rundll32.exe
5676	rundll32.exe
5676	rundll32.exe
5932	D52D.tmp
5932	D52D.tmp
5932	D52D.tmp
5932	D52D.tmp
5932	D52D.tmp
5932	D52D.tmp
5932	D52D.tmp
2276	rundll32.exe
2276	rundll32.exe
2116	rundll32.exe
2116	rundll32.exe
5364	rundll32.exe
5364	rundll32.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
4064	chrome.exe
3468	rundll32.exe
3468	rundll32.exe
5692	PolyRansom.exe
5692	PolyRansom.exe
5692	PolyRansom.exe
5692	PolyRansom.exe
4188	PolyRansom.exe
4188	PolyRansom.exe
4188	PolyRansom.exe
4188	PolyRansom.exe
3004	PolyRansom.exe
3004	PolyRansom.exe
3004	PolyRansom.exe
3004	PolyRansom.exe
1424	PolyRansom.exe
1424	PolyRansom.exe
1424	PolyRansom.exe
1424	PolyRansom.exe
5696	PolyRansom.exe
5696	PolyRansom.exe
5696	PolyRansom.exe
5696	PolyRansom.exe
4188	PolyRansom.exe
4188	PolyRansom.exe
4188	PolyRansom.exe
4188	PolyRansom.exe
1192	PolyRansom.exe
1192	PolyRansom.exe
1192	PolyRansom.exe
1192	PolyRansom.exe
4900	PolyRansom.exe
4900	PolyRansom.exe
4900	PolyRansom.exe
4900	PolyRansom.exe
5356	PolyRansom.exe
5356	PolyRansom.exe
5356	PolyRansom.exe
5356	PolyRansom.exe
3096	PolyRansom.exe
3096	PolyRansom.exe
3096	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5700	mcYwYQYs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
4452	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4332	2852	chrome.exe	78
PID 2852 wrote to memory of 4332	2852	chrome.exe	78
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 3636	2852	chrome.exe	79
PID 2852 wrote to memory of 5116	2852	chrome.exe	80
PID 2852 wrote to memory of 5116	2852	chrome.exe	80
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81
PID 2852 wrote to memory of 2476	2852	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb016dcc40,0x7ffb016dcc4c,0x7ffb016dcc58
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1560 /prefetch:2
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2364 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3000,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3624,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4832,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4932,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5084,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5304,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5444,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5980,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5580,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5788,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5516,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4244,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6424,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2396
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3940
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5676
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:5756
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:5728
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2284980524 && exit"
      4⤵
      PID:5800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2284980524 && exit"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
      4⤵
      PID:5984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6032
  - - C:\Windows\D52D.tmp
      "C:\Windows\D52D.tmp" \\.\pipe\{E7407954-A208-4B7E-9ADB-25612E3A6F87}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5932
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1452
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2332
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2116
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5280
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7024,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5824,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6940 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7016,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6248,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=7408 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7156,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5724
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:1528
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5900
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000234
      4⤵
      Executes dropped EXE
      PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6016,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=7392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3464
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5320,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5664,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5496,i,9826355716870382905,1951140784057529573,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5748
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5692
- - C:\Users\Admin\oekYcMIg\mcYwYQYs.exe
    "C:\Users\Admin\oekYcMIg\mcYwYQYs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5700
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:3956
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:5772
- - C:\ProgramData\DQAUQEAM\BckwkQkk.exe
    "C:\ProgramData\DQAUQEAM\BckwkQkk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    PID:3708
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        
        PID:4064
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        
        PID:5556
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        
        PID:1720
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        
        PID:4080
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        
        PID:2108
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        15⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:1424
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        17⤵
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:5696
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        19⤵
        
        PID:4064
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        22⤵
        Executes dropped EXE
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        23⤵
        
        PID:5928
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        24⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        25⤵
        
        PID:2880
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        26⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        27⤵
        
        PID:4796
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        29⤵
        
        PID:5372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        30⤵
        Executes dropped EXE
        
        PID:200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        31⤵
        
        PID:4532
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        32⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        33⤵
        
        PID:6112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:1004
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        34⤵
        Executes dropped EXE
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        35⤵
        
        PID:3372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        36⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1900
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        38⤵
        Executes dropped EXE
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        39⤵
        
        PID:836
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        41⤵
        
        PID:5516
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        42⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        43⤵
        
        PID:5372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        44⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        45⤵
        
        PID:5168
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        46⤵
        Executes dropped EXE
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        47⤵
        
        PID:1124
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        48⤵
        Executes dropped EXE
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        50⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        51⤵
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:3076
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        52⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        53⤵
        
        PID:4276
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        54⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        55⤵
        
        PID:2176
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        56⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        57⤵
        
        PID:5188
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        58⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        59⤵
        
        PID:5792
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        60⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        61⤵
        
        PID:5556
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        62⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        63⤵
        
        PID:2880
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        64⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        65⤵
        
        PID:3768
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        66⤵
        Executes dropped EXE
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        67⤵
        
        PID:5168
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        68⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        69⤵
        
        PID:5256
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        70⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        71⤵
        
        PID:1152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:5940
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        72⤵
        Executes dropped EXE
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        73⤵
        
        PID:4796
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        74⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:4188
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        76⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        77⤵
        
        PID:3540
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        78⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        79⤵
        
        PID:4708
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        80⤵
        Executes dropped EXE
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        81⤵
        
        PID:3108
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        82⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        83⤵
        
        PID:5648
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        84⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        86⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:560
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        88⤵
        Executes dropped EXE
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        89⤵
        
        PID:1152
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        90⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        91⤵
        
        PID:2332
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        92⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        93⤵
        
        PID:5176
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        94⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        95⤵
        
        PID:3364
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        96⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        97⤵
        
        PID:1896
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        98⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        99⤵
        
        PID:2108
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        100⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        101⤵
        
        PID:4188
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        102⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        103⤵
        
        PID:2372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        104⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        105⤵
        
        PID:5760
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        106⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        107⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:1092
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        108⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        110⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        111⤵
        
        PID:4284
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        112⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        113⤵
        
        PID:2840
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        114⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        115⤵
        
        PID:4040
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        116⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        117⤵
        
        PID:5552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:904
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        119⤵
        
        PID:3084
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        121⤵
        
        PID:3712
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        122⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        123⤵
        
        PID:5396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:1084
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        124⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        125⤵
        
        PID:5776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:3464
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        126⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        127⤵
        
        PID:5564
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        128⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        129⤵
        
        PID:5904
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        130⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        131⤵
        
        PID:5660
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        132⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        133⤵
        
        PID:1620
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        134⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        135⤵
        
        PID:3832
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        136⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        137⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:2580
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        138⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        139⤵
        
        PID:5488
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        141⤵
        
        PID:3068
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        142⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        143⤵
        
        PID:224
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        144⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        145⤵
        
        PID:1400
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        146⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        147⤵
        
        PID:560
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        148⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        149⤵
        
        PID:4284
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        150⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        151⤵
        
        PID:4712
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        152⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        153⤵
        
        PID:5668
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        154⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        155⤵
        
        PID:5500
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        156⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        157⤵
        
        PID:5176
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        158⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        159⤵
        
        PID:5904
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        160⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        161⤵
        
        PID:1820
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        162⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        163⤵
        
        PID:4472
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        164⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        165⤵
        
        PID:776
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        166⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        167⤵
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:560
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        168⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        169⤵
        
        PID:4416
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        170⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        171⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:4028
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        172⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        173⤵
        
        PID:6132
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        174⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        175⤵
        
        PID:904
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        176⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        177⤵
        
        PID:5972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:3180
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        178⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        179⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:1736
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        180⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        181⤵
        
        PID:4444
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        182⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        183⤵
        
        PID:5612
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        184⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        185⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:776
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        186⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        187⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:5476
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        188⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        189⤵
        
        PID:5552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:1620
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        191⤵
        
        PID:5220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:1092
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        192⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        193⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:5852
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        194⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        195⤵
        
        PID:5844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:224
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        196⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        197⤵
        
        PID:5492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:5220
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        198⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        199⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        199⤵
        Modifies visibility of file extensions in Explorer
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        199⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bewEMYcY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        199⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        200⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        197⤵
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        197⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        197⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksIEIIEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        197⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        198⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        195⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        195⤵
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        195⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEowYkMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        195⤵
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        196⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        193⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        193⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        193⤵
        UAC bypass
        
        PID:5972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HakEYoQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        191⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        191⤵
        
        PID:1588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        191⤵
        UAC bypass
        Modifies registry key
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeoYgkIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        191⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        192⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        189⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        189⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkcskYok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        189⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        190⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        187⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        187⤵
        
        PID:5188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        187⤵
        UAC bypass
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMwcIIgk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        187⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        188⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        185⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        185⤵
        
        PID:5168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGcwYcQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        185⤵
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        186⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        183⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        183⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        183⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYEAsos.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        183⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        184⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        181⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        181⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        181⤵
        UAC bypass
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaQwgcIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        181⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        179⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        179⤵
        Modifies registry key
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        179⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyoIkcQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        179⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        180⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        177⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        177⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        177⤵
        UAC bypass
        Modifies registry key
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egAIsMoE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        177⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        178⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        175⤵
        Modifies registry key
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        175⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        175⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omsEYEoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        175⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        176⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        173⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        173⤵
        
        PID:5648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        173⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAAwUUkA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        174⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        171⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        171⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        171⤵
        UAC bypass
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyMgUQsc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        169⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        169⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKIUEAcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        170⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        167⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        167⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        167⤵
        UAC bypass
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmkwsEws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        167⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        168⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        165⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        165⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        165⤵
        UAC bypass
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggAUUwYQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        165⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        166⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        163⤵
        Modifies registry key
        
        PID:5600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        163⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        163⤵
        Modifies registry key
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCwkIksw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        164⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        161⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        161⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        161⤵
        UAC bypass
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmwMYQMA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        161⤵
        
        PID:5792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        162⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        159⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        159⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        159⤵
        UAC bypass
        
        PID:5152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEgckMsk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        159⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        160⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        157⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        157⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        157⤵
        UAC bypass
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMYAIYEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        157⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        158⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        155⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        155⤵
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        155⤵
        UAC bypass
        
        PID:5660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgkkwYck.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        155⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        156⤵
        
        PID:132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        153⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        153⤵
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        153⤵
        UAC bypass
        
        PID:5196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jycUEYwk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        153⤵
        
        PID:6132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        151⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        151⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        151⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEMQMQAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        151⤵
        
        PID:5560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        152⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        149⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        149⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        149⤵
        UAC bypass
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KskIkgsc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        149⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        150⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        Modifies registry key
        
        PID:5532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        UAC bypass
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqwgAwYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        147⤵
        
        PID:5188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        148⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        145⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        145⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAwcYsoM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        145⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        146⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        143⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        143⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        143⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUswIEsE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        144⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        141⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        141⤵
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        141⤵
        UAC bypass
        Modifies registry key
        
        PID:5224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCAsgQAk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        141⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        142⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        UAC bypass
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSowMIoU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        139⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        140⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        137⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        137⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        137⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUckgUko.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        138⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        UAC bypass
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKMIUgQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        135⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        136⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        Modifies registry key
        
        PID:5976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agMAUYQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        133⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:5244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEogEokE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        131⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        UAC bypass
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOssAwYI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        129⤵
        
        PID:5372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        Modifies registry key
        
        PID:5484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        UAC bypass
        
        PID:5652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reQIgMsA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        127⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWUQQAkc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        125⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:5236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKsoAYwg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        123⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        UAC bypass
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryUYoUYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        121⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEYkkoIs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        119⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        UAC bypass
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JascMQEc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        117⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        
        PID:5164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYgEcQww.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        115⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwAkgMQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        113⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        Modifies registry key
        
        PID:5600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        UAC bypass
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkwQMMAQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        111⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQcQIoA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        109⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        UAC bypass
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyMskMoA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        107⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmkEYUAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        105⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeokAYkk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        103⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKgAIUgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        101⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        Modifies registry key
        
        PID:5376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        UAC bypass
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCwsoUII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        99⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        UAC bypass
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGsEQAgk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        97⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        UAC bypass
        Modifies registry key
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOcUkAYM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        95⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        UAC bypass
        
        PID:5376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgQEIAgQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        93⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        UAC bypass
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SscUkQUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        91⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoEgsIEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        89⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQkMwQIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        87⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEsUkcEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        85⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        Modifies registry key
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOMkoAQI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        83⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqgEowok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        81⤵
        
        PID:5244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGUEIwIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsYIsQoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        Modifies registry key
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eacAcsMk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        75⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        Modifies registry key
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwowgQQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        73⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMYUQYgg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        Modifies registry key
        
        PID:6076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyMMIkwI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        69⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncosUEAQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        67⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        Modifies registry key
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKAQcoYg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        65⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        
        PID:5732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuYYUMco.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        63⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWcgMUQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        61⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIQsssIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        59⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuwYoAsE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        57⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        
        PID:5556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUcAAsQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        55⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoUQggMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        53⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        
        PID:5332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEIMUAYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        51⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        Modifies registry key
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkkMoYQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        49⤵
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwggQoco.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        47⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        Modifies registry key
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OicUgAoo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        45⤵
        
        PID:560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEoIgIcE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        43⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        Modifies registry key
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xooMYYsU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        41⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        
        PID:5488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeYIYkcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        39⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        Modifies registry key
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viIYYIQw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        37⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOMoIksU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        35⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        Modifies registry key
        
        PID:904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joQwUUws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        33⤵
        
        PID:2880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAoAkQkw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:5732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        Modifies registry key
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyIkwgkM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        29⤵
        
        PID:132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwUEoQIw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        27⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEAEkEcA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        25⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hikYUcQQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:5760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCsUoYcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        21⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKUEEEQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        19⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emgEQsgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        17⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:5856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAscEcAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        15⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myEEsYEA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgUkMkUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SioEkkQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUwAwcAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUoggEco.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        
        PID:1636
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkgkYQUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:5836

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3732

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5552

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:5904
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DQAUQEAM\BckwkQkk.exe

Filesize
198KB

MD5
686e50844689d7c4f79e9475993c9b8b

SHA1
34e7ffa210db7d45115b584388a31fb33864ff83

SHA256
3a7168010d72b0d0d73619702b909a5ccb2f4abdd17ddc112478b3bcce886ec8

SHA512
fa81d401c77e0c5966f7e12e447357f7401d43513fcf03fda066d823171ad30263daa61d7f403db07aab343bca3d2799414fdc73f48c97f4e8dfac721f8f7e6c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
228KB

MD5
4ad45019a532adcb7576a487a665a1ee

SHA1
24045e1a37def219b8c147cb155399b237bd6833

SHA256
483cc0102fa4abb4cd6e8312a8853e7d221e8d5b646ac4ca31d83d0c6aebe516

SHA512
981be5ba8aabbb06bebecbe77d67f9fe8bf06c9a82e8dbd5e2cac242e9ecf4e00778a0d0917a7fff74e90865e260aaf73d86ce0e79b6b2a33d8c0d1bf3473ff6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
223KB

MD5
3871773122fa9f8629c64b21acf90135

SHA1
9d9b9ce03e396fa5602618cbbe286cfd750aa9d9

SHA256
96f9b012f9683308b5dcb1addafa49012ab274a9853b01dce2c1218262994668

SHA512
c422a29c94d3d4192944a782311a446ea347f9eb325e61205716453018eb20fda653ea66908a848ad2919f2644d0af876d2e9a153740537fa017bd9a13a5f4af

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
228KB

MD5
f82ea55890abe26a4290a3487d031872

SHA1
786ec922eeb75e7b1748fb748ba5a21782263dc6

SHA256
761ace62c5d328a558b964019c5996c0181c1afe39a7b1f96ce68bbb31aac1bf

SHA512
ff4249dd1dddcb88720a2bef40de890c0eae0da5e13c846bfd6d28800ef3f00204c502e982d09067782c7b300265b5f882ec6be2e4831a0d9ed849c8450e0524

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
836KB

MD5
9b551d18e9b4cc5b03445f72c5cc70d1

SHA1
e56607e62523beed1812632687b7fa86b9b18719

SHA256
1c6aceb5ca72294971456d1909fa7dba2e987a962ddf0f70fa0664225712cc7f

SHA512
e9434aa9cd9c928e05620ea769db9ae51b591e0402c6b469d43295ef9353a07b829a4ae91d36738c682a006fbd871355d7739463e9d35d0f9c926f4407c828ab

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
803KB

MD5
6445a1e7acd20d17aa1edaaeef43f036

SHA1
3b0b3766b32eedb401806be165ce5cbc7b5ce643

SHA256
c222a42251d360107c6b201517829ad4cf1a0567f1f3e273214be8540951e2fb

SHA512
0980b7a499c6a24f67535208ee27f5c976d1fa591302a89258e9ea3dcf628a2dbe78be29d031e1fd0cb7d1f9614b782bcce3f2a261bd36d6cd2964cf1fd625a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\60eb365f-2289-4508-9ed7-9285e43af112.tmp

Filesize
11KB

MD5
b6cbeba0eebe93dcb4e3f433a6347229

SHA1
bce1e277c15c9eacccf0957ae8ec3f7ebd04d411

SHA256
2fe9428ce23b7e04c73d0a752a76622ac28f6f011ea92da087530300e6cbed83

SHA512
bd6ea238c943f9aaf13327a38d57eed63432aec39f214ed20edcb9e56a658880481be659df7cf928efac844df9c25386aad166851fc202e973c406de5276b424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7ea40b056c7d0f28bb3b0ff658384600

SHA1
55596a3ee9c9ad1bd8871d1f100048a3a34bcf05

SHA256
cddfc4dc4b5a6412dda7d95ab2e5dc6fc278b948dd14bc177ddf15b20fa1c7e9

SHA512
04af1af9f62c8daf34ffe2687ebef005afae6dc6b4eceb7469ecfa54a0322819c91d366cc08bd70707d70dbd7e2b54025d09e56aa637976c94fe5e04d73947c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
47KB

MD5
d68e16f4b1c4ac2ba25a3832816a9a73

SHA1
483d682342aea24ed78443e09a4f9e1e4e7bee3a

SHA256
7a3b1646e73713640dabfc22a14a07dc2f0e3eedce783f1312552286104fed77

SHA512
67810d66daec6198445c431bf0b7eb1b78e8a3f92fd303ce342e6d7efe59c061283dbf7d7281fbc11416097022d365698b1f0cbef22672d09d0bc736a3535e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
232KB

MD5
8a3004a6d32a32dbc11d59d4a859da54

SHA1
b5aa6f7d77a6420e8c85a2377a4674f6bb7ebba5

SHA256
3a6ed4947a4611f0591f2924b710cdad78d39f5552e8552c21c72fca95665929

SHA512
32e23895d8a48ce1ffd16a83a6d30721b9c939677b5e47bfb15f37e6d1f0795dd34f1a41c73b8b52f53bb5efe8266471f5aebaf601175606fb48a1fcda9f29ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
605KB

MD5
4dee9994f5847adf284d8727c6109b61

SHA1
b6a2cec46baf82da9c8ac7c8ffec6f75dfdb7e7c

SHA256
e81ca154c634f1d8e56580995718ec7c34fc4b45b61c36805ea347040d124e64

SHA512
96b56c04b315927ebf5c0d780ca6d94ec0a8e8544cf9c01f74540e22e9ede882b00c2d73de6b04c6c2ee7233524688c8fa19c3caccc9a55d8073aaf110607fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
33KB

MD5
28f28f9ab8d8a15c7b15246b77b413b1

SHA1
74a0bd96dbfb39c19f1ef6399f1a6adc1de5de20

SHA256
04f73e0d2c136265f4c9b50f2e619414c156ead2a5181ce84739922b6c9fad4d

SHA512
d63b7474ebb3a6629c4e20407c0c379e194cb71d12f1047219c072bb2450308fc7447efa450968cfc520e6acb456bfedb8b83162e9367efdbcf49787cfb1d466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
32KB

MD5
673269c477f35966b5031f665816d043

SHA1
d082b1a27742e92a108112c2473a43e73cf5618f

SHA256
42008d6a28b6ea01964980c7691aebb91b93cbb5f8ae8b2668c94d1483a225ad

SHA512
423c2dccf173a1a193138f776befda7b708f5fbd0b4fd09bd278954fcd87d2510d73ec6f5bd0a3133e9e8f946c256ed26040125694c1db6d7d57cb4cae5af4ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7cced298aa5c4a5b72835cec166ee123

SHA1
c640e8964d7d26fdfd81f7abd9a63e410cb4f60e

SHA256
33c2713a391ec8b4ec76b9152986982179a8258b2ae2333511ef4ee41772123d

SHA512
d813a50c2134778f2a1eaa8cb6ad277da3ed54b81a4de6e75148ca4e2644f43165f5b8404e8d7982e35857e0c9505f5e6f10cd63c56489700908161be244c2de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
147b40f94c188b35b88ccc3b7191ff78

SHA1
56a46ab5416d0a0710812f3aab6cae6ad54ade29

SHA256
aa23b851494340fc2c697fdda3c88939840dfdae8fb6ef391908822174f1f41a

SHA512
398fa293aa3ffde828df0441c77968d24ffa7ca0bfe5fce39b8ce44b8309cc2fec9c2ef86e6bae6c63a75e76987f8e4e3cd52164544e985d56c477b5f6ccb4dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
e45bcab765852ef684e6d5d1bc211576

SHA1
90497f2352d0204c3d9045eb1bdaadb12a3b97af

SHA256
a372bd48f767cc5c406c5f17739a5477f5411479abbef082237a5646e66e6afe

SHA512
e547544d4f43b35fb38e2698ec24f8c3167d19173b2e5bde3c02662f247da23ccc9d37b45683dbba2cc2ac491e99df8bab5a7c5372fc04cf5af40c7224d5c7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
b8bbdece9617e22f5fe64153a1decd0f

SHA1
0f03f76fa57d3ec26a296b9b71e1ed7efd789535

SHA256
12d62423ee4625b1b55bfb7c4926738ea9168f3bc4cb9a8f05256b1ebc4d19d0

SHA512
c22be3994befabab805d25e966cfbec950dbc6afb2feca95453a4ad44f5d617f6933e07a5101b34dc6aa4402f92ec7d2a03862b7c199a720672a540dbce1aad8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1135fd33e15ef2a8aeecfb7bc2165a25

SHA1
3c3101cdc4d91807fd2e5f1880153c8757439e7e

SHA256
291c7ba3f275f577544e03fa4ed1ff7d4fd2e8a844a8b3958bbd634b3259a9fe

SHA512
cc3acde6d5a0387fed8ee298bd254fdfd1e5a10341501059d4e9fc6bf36cdc71c1c09c8ce0618c34240ba1776ca47ec64467db3f32f3515f0eacd7fdad36a311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cc394f38815c314ab372af43e18cf43c

SHA1
dac375004a25522a61e1bb3deb13e4438eeccbc8

SHA256
47a4eb1dc432e4115fdb1414db11a798696485acbe29f9f6563b247045867c1f

SHA512
7c1c46726a0fc1beacff43b3f37db73cb80514473313da6adecbbcd4d9ef08f974bb96f6fb0a3f8e66183bd77764f5683b2dc2630fc94dffc19542c09685f079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
005e2212ecd11c123895f6c4d6d3a124

SHA1
5feb15e33e19dbecf0978890f9f34b1488ac2fd5

SHA256
106964ea864e42b994fbc4e8aac7c50d2af807ef8233061ec5731de94bae7e90

SHA512
e7b0ad0eac21e2cee541953378067f524c159d4029f17aa212236e43d18609977074410f77984cfcdd18227e6f478d7a65e08ebf2d6d981f858734bcf9ccc55f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
99106f438fc5385526b88d6409269571

SHA1
514d7b9c6bd3f3f93fc22ce0a387d204f006b375

SHA256
b8dc434bd9fa73e881196e4fa72e5c4a1821e1fc1ec15f40713f7f13000b2747

SHA512
e692cf00d1696d3d5ff099320515bd8cad9e9f71585225081923e6abb596a051ff43ffb2ffe49fa5c9e298bfb07941ad043f5ac0d94405535927be57e0ddd307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
83e10cc7f0c78d5e6b71271afb11f88f

SHA1
2527594af7abdf2ee8dc6b071fb88860e597ec50

SHA256
941f534cd035c32add9d5168de71912e41e623dd3bc5c91f90626fc9878a7d67

SHA512
62e1df72bd2f911acfcccc6a3bde030c1e0ff1d5ef6609b3d0bbbf2b9f3dd00c3b46d219a07d87d243ab982a15ed65e2a9a3f90a207935708ba116a140284759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e0488875f9ae7e31f226fd9c6220724d

SHA1
cf812922f1c9d024d00391b5a07e6de76d388ca0

SHA256
d1a16ae496de125f55701175d6f6d89a14bb90e5cb1aea21c9c4f2dddfc439af

SHA512
ed1be7287dddc1cecca671f7aa4b7c30481734a2956b07733ed7d5d5c4344d380297ece5d5c2799f1ffa17437bf4d6c6c3ea3d359ed7fec411d43fbf01bdfdf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6d53f6f1a3f26bac2ec60c35a0fc2f95

SHA1
ffe3f9c427215636c17b127e1d1a446f14d13300

SHA256
088c46ade3c8ca3ab063681b2370b7c91a79d39a1b3985f53c32ec81525a22c2

SHA512
bf4ee3c9478ad144c8b10ce041b4bd132bb38f051822b874a5fd24105546e1b12bca75d90f0ac74063d21cd8f0ea8f7b98bd33f3a627e00f34626e813a90bb56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4d54c4f96e60fc6663847861a5069f62

SHA1
5e849d9c7bbb9bdc7e2e0e1df60787cf843bbbe6

SHA256
3a265f9f2575babeb6250d934ffe64457b5cbe175358d637175b194044b299a1

SHA512
65b919964278059c693da8ae638ed145fc1c8b51af882673212605d0925545c3e5817212baa64a2987a90e45329b48ecc71adb52cf4b3afcaf4e418e13401731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
b7473bac9560dfe5433ece21c055c288

SHA1
88528b7d35a3787e336a422037e6397989f9b1e1

SHA256
8c985c7eb5064f932eefc33da45ad970406e9890bafe854d975e6db640f55ee4

SHA512
55700c8c0b9cbd232b59f934181679c4c396aaf0763bfda0ccb7a87d176fee92681a86054d1ab0f0861f237695830d125c774cc8facd148113ede98e4406cb4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c7cb8bff7e6f3beaea6f4c465ea4cb0c

SHA1
572cf6d5c8142d6739345b0caa1d1506259ba969

SHA256
94b3ecbf8cc04a5b6cebfc4fa6017f0811c277c575fe4eec30a100ab6c9883a3

SHA512
7f62bb471f5112a0a7ffdf35d2325d85c64ae2136b6cabbaed329f032cca571ff13c7adab99622cc565deb23890ac78dbd8caf91b7c87a0132c2d965dfeec565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
693184682444e57cf9a9adcf6f6871fe

SHA1
314329ba5b28da494ece92154b71bf3fa6b5429f

SHA256
cf5e20f6eac5a10d3f44cc46f1a152e3e0d613699bf0e72d7aeff896d91b3f27

SHA512
2f5c93442073f3e15c744b293befe55d2ff272f9e6a91f29d6c6f5a55502441c40466179d241990e012e94fe8c40e977b7906d63337c6ccfd1d40e23bde460f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e6e208011ba67cf48b38e9631f07666e

SHA1
9d1807a0a00cef0625d1444dddc564ae52ef3e6e

SHA256
8ddaecb1fd421ef8f8ef7629b06d869985f4cc93831657c941d6677a46f51607

SHA512
49bc730b0d19be03ef0a3032e082b567b2d5442cbbee7968db94ec04b6e45f5b560103460f00908970e2a42de39f4605f0c233a93253439c3075da15ef825853

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4046198d93156c05051ef35c0420c6d8

SHA1
e6706858537e33d690d296e8994a86454fc5e063

SHA256
03b4f8e4115426c3543b91160203b2f483d60f345294407091697eb95d374420

SHA512
fa206dbb57439a769f729ef2b8d1c0d0061ad48f9009dd2bdf51c96e9ad1e8ce5e7f73008becbdd7f7fdbb1d192ea244e8cc7e0caf2901d5ed3386f9e3e31479

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f295f140ba88d50c668b103eac6970a0

SHA1
ca6566cad804f0b776ad40cc3420eb25cce4b485

SHA256
adf99e8522f31f0f59cedba2bdd025dc59f8df300e577353356ae26ca5663528

SHA512
305f045295effc5ef97a1f002785824df2e7af125d4d9349358f036d11f06a6c2f3f6749ca564a5d034cf3cfdce64eb8bc2038a0868aed41b4c07d98a3f2c169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e2dda1a01ae7edfd656fb761da32fa77

SHA1
d1f9a179b8bc33b2ce9543059519dac259708d2a

SHA256
595f7e0b0beee98ebc8170292bcbb7ee26838cb2077a02f6efa969ad2b9b331a

SHA512
1a8c65fec2c098e89fff45eee24e2d1ec85c1b405bc131839022442f5b01022d44059dcd51565b1ace0aa6707ae9f906f3700de98bc9f50e5d17dc601fd43915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
061336f8150825303ea76b540cc934b7

SHA1
f10b163d2c1a25e00291a91f79af0f73adf2cbe4

SHA256
d5d7625e4a763ef72d494bd97e9dc81dab29009a2b6a7772e75b0ab0bff201ab

SHA512
579ab76445aa5bf773ed91b837a7ad791c0752a193389dec814fbe4e9ebb7aa0952baa28f67087c79e259411444fbbf28eba46754e601e1aca3c718736db1b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b19ebe925ea99dae55707128f74ed277

SHA1
ebbf6597d3949f5038c078e99cbfc9a1efee6f7d

SHA256
340f574b49b3faf9f4b124fcabece9ba115e3f909a0fc0722803d0ddd42fe2ba

SHA512
68e294b9b791922b1b7ed5063c0db5c356b00f41e481e3e1d1b7e2b160d6ff1b389e4d290c52cac91a03f3f56cd383a92e3de97c3d22b8958f97f1188c35c6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b3f2bbd7426fb6a87ecd3ff1b375b7a7

SHA1
c3b6e27431bdb0ad8f4d0c3ad896ed3296db6cdb

SHA256
10529b7a115e7025379157165700fab994c6b0e8e797b34899ebc63aa255e9e7

SHA512
c621c1d518479eef7b842e00f868d6e3ee11c9e54f3e26723d162d00e2ecd853bb28056d38d34494c78eacbf42906f43ac34c41953d2e5216e5aa8dfae817f56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5c86859c1355150f4896e161f02cb599

SHA1
65582645f82da43efe929ea2c22809e2a6283776

SHA256
053c4502575bf4080f78a4e0aaba1a62bb81c46ece91b4a09aa7663a58a2885d

SHA512
b45615e423ea59342022a92c6d50dd34d24d10edb731e16d75d1391e66bf2a6edddd90f0476147e86d7cbce950b3dc49e732d64cdb6bb4c0b1904686686afd31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1626c36f283f53827955c322d9cd6ecd

SHA1
a1b5ad57fc42df4d6eb4ffb6a95c4d3fc6daa5c8

SHA256
cc982306f76e3f954bb03fb51b451353ed7eebbb1e5e68062321b5ff8f0d46df

SHA512
004f2af7eeabe893312768a6db0aeccfb1bdcc7839baf0d18beb5338023014d4c736e71cf9b174e175c849045c97a4f3ef68afc60de7e098245eaa7472ee9da6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
913487f8f2ec719ca546aece3e6b8e71

SHA1
68abdd89ce0de56f637904a8ccc612c1edfa095a

SHA256
b46f842bec542ae3d55521300dc84ecbdea0607ec2bcd1570820f617fb52a462

SHA512
99a418e1a13eb6e076b65ba8d538132c9e938dd63e2799b01026fc1744935e1550cddc043b611670b7ae7fdc280b005cc4e89dcb0567f40c104507189c96bb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c306195d0ac14931db26e6878a9ffea

SHA1
f4cc0653ddbd89e5ee4b09277232c4cf2006e0af

SHA256
32bf3e1d0b6f03c9269b4f921d33f698885a910ca3bda6c601d6807bbabfbbc2

SHA512
0125d48dfcd37e600faca297c5fe62ab99646c6f7a67f760723b9680cafea822557038332bd65eabe2f04b1de157a15b7bba1476a01922cdd0aa9eac44ce6218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
839d39918364e79afec1afe91902e9c9

SHA1
836a35c7bbddc2f5ebc321d03c5fc5b28b5e086a

SHA256
ec9b3b5295326c154297cd052ad79cdccebf1aa106959a98bab9a13fbe91b2af

SHA512
30e3fc2b24a4f316ee43b04096ff6f3fd3755d4ab3cab7c88add2bb108d23f25e39ca83330e7fd73b704b1882226acd915b71d958f2e2b9f4e011b11229dfd22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c7b407818360e3d042f8f875e25fc8b2

SHA1
943c9b7cf4ee6dfa4afb47171af56123c85dc82a

SHA256
9c62dc5b078206234ab6c85744b7ff4a02e32723af6164ed0ec15f50086d20ff

SHA512
ff254eb5b5694b5f8747c9b1a9d7b73083f73b15423972e48cd3412b13bb992850a373c8e949f361fb8510fa27f894566f252a6fc65b6651f72b151e9e52ebc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c656cc0064adb9fc0240df9c406ebc6c

SHA1
5878ff23301be67131a87f0357b8ee67febc45b8

SHA256
e35bf39e3296c4eb5824dc29088ed539bb4a91cb6b56be6e9f0106a4713d65dc

SHA512
2a05afebf0994e19ba71a063ec0113186978fabe8dac205da6b0afdc638580967b90a29103cf384cf9c6bcc81ef02dea0e272cdc6f10858d43e5bf47a00bad3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8f44ceb770266f2019ba4e9d3557ece7

SHA1
8ea312eec7ab52e542a4e3ce414c10b9f27a4eff

SHA256
5ee47b02dbfb3f06bc93f989c31fb0c2f61fa036e0922322586df259411cf2fc

SHA512
85c715a2f5da7792eb3f22c6700e5372bde63142044f9d63a145630ba483e5fdbaf11a58c448f2ed54a6092b0943b78e202492be3f0ae24906bbe4a9287d973b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
38afc049eb6be99cb65fa189a264d824

SHA1
200c715436c41fb38b70fc2e14477808af513a34

SHA256
18a037c150f888866865fcf2ca5cf43b4f8b0921a9ab45445dbd96fa20f16737

SHA512
bb8e2fdc791b956ac16d781f4e9afddf828c8b8563a72b06731baa12327a95d58c12fceda381b5663b80431038b684da196e831bd5e5d06a37240c67b3a0e331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4a0699d3713969e06d2e64ae4ce31fc6

SHA1
729faaa3cfc9df076a528185ef5d79d30abe9aff

SHA256
a4100b1ce01e2f91851e28eb661403521dac60511a6c504980c32f76ae6dbe8e

SHA512
eb93bcba75b870a88dd069520e570d6ec0a86e67f668dcaaaa1fb4bda7e6de64ff5d0b4faf2d7528b1ebd185339d5cbe985f299b63245656ff63066d1497a75a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ec8cd00dd3ea8b101bd51915c37fd560

SHA1
f09e78e3d1179ed373ad6e96e8cf1dc43a9e08ff

SHA256
c9029537db31255dccc43d5e9c9d46779b53b9cd1a0127b248d7e5eeb59d122c

SHA512
931e2acb17956895fd7f48e80e6854f83f3c2bddbf826e1c1568ede3eb41a5361088426e410fdfcbe89825a9925d0ed7eabbd999dbf258ca1637d3950c614beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6605956ff0a8c1a4c301893205765178

SHA1
0371d197940bc6c2bf210104b72a0856de52d1a9

SHA256
cd86c51ecbf20672cf641953d270285b068ce8947071d460465f203ea2215fed

SHA512
f358b193dc97e19ce3603995f2181e7144bb39e98f33fab4583c34eda0a878971bde9b25dc13b548ba5590aff67c07e9374cfea63335fcdf204aafea41b85276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2c3fd3a41caf56d7f24121ae09682a7e

SHA1
403c057b0c08611b4f2ed30418f14efaa750c446

SHA256
62494927659f8f2e6dfbd27d07f2ac9119d97d06c3773f2fd9ffe02efdef8dd4

SHA512
acc835a1549a032455b4b9a8f44e8eb86065cfb0a3a9b5280301de77e9088a13c7976f35a6d98e1dcd736d35019b40f5915530f7609d76ec1d46b4cee0c09a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1d4ee31d98ac6d67dcc1797ae240a258

SHA1
740a99c5db8b0bf08297cd7dfb92c08063d2ae23

SHA256
8b3bf859b43209fb4b2115dd1f5c0cf93c8c067afb2c7a208ab4a424bd19cd48

SHA512
ac6c40e05ef194cd799a76b79d1a770b3d718ce7975bc649e90008988b749b5446d58805abf5b0bac00454e04e6be701648721b7a01e77b94408af947cf87a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e47992b346fc6271c3bf12ca72ce9de8

SHA1
dd5930ece5e96d7002dd87ca3d83a82d5f6a2cee

SHA256
492c93d1f3308e0159873af00bde96f7c809013f9675ce20abb925a1a47405df

SHA512
f8b26c2ebd9b877b525b9e76ce5931e1cf732224b6576347bcc606f4874e93e264548988033da81a45a8ec90798fe963be01249675a3f3342148d50df4182b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
38c6d05750fe82c8d3648c275733871e

SHA1
3cd82a290409e07129e4f2306c604bb816952160

SHA256
cc50b8434e69e9e2b5d00289a963474075c8f4d9d9ec944fa47c2c26eac4671c

SHA512
c719490d94cabbe039c5d25b0583de83e05a6a02dbdcbed6570a4994e51bfd2b7b302db2882c591109a900d910f2370ea1163fb56a55364e420d44ac6f066592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a54ea26881bfb4fadadd64e7640cf88a

SHA1
0b13095b0796961c179bf52b9b07be6a88d27553

SHA256
165f83b977a698a124adf1d638a80bd49f988bc3939ddef380d745a56386e7ae

SHA512
5035bd5872aa32dff0826fd0cc1c6290dff92accde4e06a71be578c4f21c71f46a38732edb960cee69b166a20048a051ed5fcb597d78bdc9d8b53ebe9c7bb5de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
dd184d28df01e01ec930707aa20b7cd0

SHA1
a012b6d64d6efd29487635eaaafa2f3992ce6cf8

SHA256
eae241b65542a6e5795b57612e2d05635d604dca0950990466a9b318fb2e4175

SHA512
e44824b7475e2cf3f510b071c3866be397fdcb28b3b37a2414ba3049d084608e041bfc32b90a723354ad90716af7d31bade70fe200277e30ea60d6fad9e33a44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d2133d193bb0e4e269f8f05d55ca8a49

SHA1
c2014265e172f80f3548bab4f8df70b2d0feaba5

SHA256
9e1d2b65470d92b0bfb035c46fff0fb4d94aa4ac2fa932022aba124f942d1ba1

SHA512
83a15160057f8b1d8a7116ab5dc51357265a373a60bcbd0c896c6135da887c3cc6fb4639a844d008a32d1a3d21c5ab42d70616d584bb566e66aaa21107b071ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
99490815d7676acbece5deca47a19aed

SHA1
d899de94981c89ca801ba6a8df91c8492503e92d

SHA256
581ef96b3d7adddf64fb48ba756ee8048f62234c7a6907835b6d76b0209042bb

SHA512
1594ca26cd8d41db4feeaeed7b7bf7da4d104ddc396772b91c29db576f08872c634ae2e273379f4f33548464662f2d44e6d993cd7aa3e17a095457b5f14cff6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a55cb4bb3b3fa33a4a7d54c2a9ce713f

SHA1
ce1be158908c6923d10e56e345f6ba2076aab1f5

SHA256
7835a901a9165515f3cf71cecd8b6528fb67764ba418c10d201ae551e5adc723

SHA512
757e91f917e2324f1b113891fd0ea19b6ee9e86b667ae8fd8ca5128e422ef13d5f2e98805b8165a84ca79933559c61055c43dda7c1545e4a1b269e5754bc5f3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ccd9bc76ea9aa45f9dddf0b3d80e1c88

SHA1
ca46b74108287debd4c39e5865232ffc1fbbebca

SHA256
92381657dd73750908df1f726679e0c07bb1e18e3d95d77326f3260c648f8ef6

SHA512
2218b0a5b2883efc8822eef77489b8ae3a8bc09ac713a779adb8911f2eaa4bab11c9b061ec7cb2cfb81270cc39c5a248f2b9665d331bc48e3c32042450f02edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
569b1f4cdb8d73ffe077c7e6ad6b10bf

SHA1
ef52a50a33bfde6d701bebf41673683cb29f42b2

SHA256
8d14e64ecba01f4c9c7c4d5826dab457890c3bac6bfe706256f4beef3fa05304

SHA512
6d9b76398cb8d1733df58638b622891ef55ded3f7d16b4b0f5cf87b74d3330c338015b51ca3b8c64fd7200fbd15d0c4a39c1a1d4b0ca2d785da4a349db5869d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9344d005101fed9a43fc411cff7dc034

SHA1
64f1a11a5f4c2f63cc825a73a96d5cada53998b3

SHA256
ae83dd112ae375f0e91bb1309e341f6be38d0f9e7b06ae5b9f0825c8b1d08cbb

SHA512
c7e0fbc69aab770da83e08f2c25208a85fe96654a802f01ac3e07ecc5f12174c990bcbab5d1b70cbcea129990c5f669fe309e0688e9724a9d4cf7e04935ede9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
54a1fad97c30b1ab2313569f32c91753

SHA1
53f2b82e4acc7ea962bfb54c40622d1b179f5fae

SHA256
38fbc56d8a5396837fa4053806de1c0b599f387418dfbbbcfd053d624eb53017

SHA512
4e82eebb0fe7a17de3f3aeeb21494877b5e9a56308bd6db313953488c090e0684b806ef2f42b56506979027d82d15645af225631bc3284d043c747d0821b772f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
adbed07b1c5913b2fe96117e8e8aef5f

SHA1
a86c35bd93b1518d227cb26858b031783744f11f

SHA256
daaf05ae9b66cedf2e540672cd9ba1350055d30e67941a8c76763d1f7624ff37

SHA512
139a18bc4568d973abe84f808680226ab0fc825c816e31b154cac1c561ac9aa398d7c9b66ef764a5dc44a62c549fc5e2e18006efd9242717ced2bd4c731792b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
bea8f668fa9832037d1f81fbb647af84

SHA1
232ae4a13e7acbfb81e5780a04e27efb1cd65e51

SHA256
cba32e38154335ebd9b5828a1deff9381a8cdba666005f3b91742bc9b1ef3d68

SHA512
8b5adb9582eb3628a3a7843c0ea4c45b65409dc45063f7ddfbcd6fb3bb2516466996a6fbb1a3d7a0b20a5e1e05fe84163137ba570bfe0dea610c2b7535f00283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
591bd1c178d56aa14a803d88653c4cb5

SHA1
5affced439395748f263387fc46946dfb18c954a

SHA256
edda96c7377cfb3bcaf80cee4db637db3630d399b88a4933508d8c8bdf7e7bb6

SHA512
b39c4def8cd61561e101b95db22d1c96a0b06abbec7019208772817be1dbe95166e77ef9e679d4ca77a36ad571f9bcec89444685fefe58a220cfc6ed75e7c6d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d07958cc15dd7624c24113c5646b27f1

SHA1
ff9b12cdf731d2d17166b724746229f49b0b3c1f

SHA256
4c89be3109125c1977a6627448b4bf8402d06be438e8b6fe9ce5e631829e0721

SHA512
9473dd775547b8c08e62b79de1853e2a617dfe29b18151e5c360082ec4551a7d36b3884167337281c74c667e79bf4bb8bfb1a5caacd0a6a3877808291af7e0ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
aba55d85d675d08222950c7e374be607

SHA1
6d847b5d1dcdc11499b0e6d515c6199ded95ead9

SHA256
cb0db71637c3e3244d385876b41e4e2d2de41ae9cc328d6f7bf3c9211b1e61cf

SHA512
5324944a57b0f87b94fa18a56c8b25ce4c0fef6526654747ec93c5989bfc21f33359cac3c4194f7589f72ba95e1c202ac32f46c73225365c141320abd379a541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c5b60b9bbdfbc115e28d461d3558bae5

SHA1
5f7bf9f002fe995311536ede56dc59b6994abc5b

SHA256
381d43c9e21a32bc208ed426458bf558f8092b06688964d7db1a2c098ec2b064

SHA512
c8705ebf10a54b669000cabe7921b7e7dd5a0e7070d5b0b4ee80d43d1b3b6a9b8c3154b3ff10eb76c3d8ac288ae1ae8cffa97845b44c656b899a74c50767b078

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d9d6d737079cd66ec838242a1aa6960e

SHA1
236f703ebfa3e9312d7b35b121a1e6e850049be6

SHA256
8cd348eafe1185b03c71d3dc9b8bf3fd6f0b61d5ebe5b5ad624375a8ffccc39b

SHA512
aa2df33832e117681f27d21e042b3c741151916e04d74575fcd46fe6dbad903e71163d684eed7fff6650098a2865ca494ef6923012b03ce68cfff798c0dbd5a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
12bce67053e0275af12e9ba17ef49a2c

SHA1
1627990abe099392a69b4caa997213b3da72dbb3

SHA256
5eb61c27719532583dccf7f466efcbca78dbe242d72f2d4f1b861f4da336cb21

SHA512
635f92757d3a6907296e60e66e760fc57acc953107e8d9081c51aab948cc9584137af526fafbc6c5f105d56491dd438a09c05cb39d10f4d82b5f0070ba774c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1c33de0008fc2b8d87108129f3031777

SHA1
f4b95e0314d7af05b33ee13f47a8d54ee2aa0503

SHA256
db43b227daf891e082d448c1ac5378faabd62272d76312e4bf88752938063d6a

SHA512
2f8acdcd81845e5291aeed153391a111b973d0f16e86e98bbe7ac65a8626a9f5f589a42d3d665dc86da78e1433cdc85f27e732e5be0c2abc81bfd4889f4d0d5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1eb59173c43381b70da93b4972c38a33

SHA1
317e0a0d1f59ca9c894a89a5b194cd2b8cb4e777

SHA256
1393234293c31006c61b556d4bdb95cc2a69f5f2fa138d2235edd9b4be0b01c9

SHA512
39fd3654032c9eeef09adfd150048644cba6dbe60e3fa8b303b355bbe3c19d6ae545be7edae11bf893e937cca468bea54926be4a48046c02725c078dabb40a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e458e05ad67b9d709d4c2e200c91ceae

SHA1
bc635206d772239874697779b8d1d3d3177befc3

SHA256
edec9b19cb29bab8541f87d8044c19f957a18724d70e7ccc28fd202eff9bfe03

SHA512
8135d0cc64ea84d48381f28a4779c4c4058f687efaab754eb0f129a0b7f4e00f349021f492559aa9737c354665ee6a3cb1072250924f19bdb988b89faa096d92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f9e66be7411ccb5ad59fea665a369386

SHA1
5b7ea6a12e5c18ec6195e010496b215433c592df

SHA256
584a1eec7f8558ba26d51a816978c653b81ebc530f42d7966e8589564ae5b3d5

SHA512
36d6f39906fd06bce1b411db7019e0d3dd0bb01d88ac6c662bbadc4699b6146d6bdcafb44f26ce96e1cc373f633304c99b0f1244781a31385e46615102f1ba82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3c0f8b3403d0e6b58458647b200bc7cc

SHA1
deb501b00f208f2d46b7d19d2a40c593cf4a2563

SHA256
686f8b44d57839a697b0d5fd7e40fe4ed30d6410bda116788d9adfab8c89aa47

SHA512
89c25c56015ec3fe7bd42a1f94e86cbd29c5a5d0ac9152d6c99db9a0ac8e59b6eb556659b4841a8c975dfbb93774f188d66aa19e009609b599d023810007ba8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4bd67e3a41a25368428ee053b42a7c97

SHA1
600377291384e541c0cafd9e8ee00df4ebe1999c

SHA256
5464fa34dd0090e8c9d47253fda81f10146f559658686feb055c11f981b35555

SHA512
74fb1e9e231f06bcb2f0c4d28fee81b9f239b8a4eda0eafec4e10bb52f232a704c11389a24fd07a2edf3c28647934523539d5428c58d8d72281050b6bc6511d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
06c2fe867a24b8dcc6085d97009a1850

SHA1
4c0c0a4066908c93507fb2402ddde86ada92a864

SHA256
9bf3486721828c88b6b5de7f978effd087eaf0e24fd3712da3e077cb0d0dac16

SHA512
e99b0ddc0b6e863d7319f8ecde1b895b29a1c93cd083b117a3d95f44bddb1e53a1a84a02acb3918a2479fbc1586d15ab0b1a64ce9ed3aac2ce3ed46e519ecb62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9aacb943c32ca84e53d257a3433011ae

SHA1
838492315b561e860f6d56cb6cef1e866695ef49

SHA256
5222e350fac4757a5a89a1d6b8750c8e5c8195cf1d8652c5d0fe2844e0f582f0

SHA512
055cfe384890b2e7a6f65fd75c7ea32f588c63f9d7cab253e0d6a24bdfd0f70f5b3b19d261b092f8109d38dcb5a4a539de43f3ea0463b7ce78cb5b23189726cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a501405322e4bf5ff032081d27c90248

SHA1
de65c208af871d74704a5a3b64db2da85f7b2585

SHA256
d09f91a764cc05327fdc66d8cea5f563f61f53c89856673c35004123a85e2193

SHA512
5511039f470829f6969337609de96b43ce8ad686d9c756a5c2e817ab61c572090b41067c0a258c110eb8bfc4b40dddb3a7ed475d9461705f8c66051636d2aa4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0a501ae000f666d487149351df8aa26c

SHA1
25bfb0190abf9006893831a87230868790f8a85e

SHA256
cdde0cf94a575523528b46b78d10c6ffd77eeb1a0bbb751b10377987dde41499

SHA512
09f450cfbf646ee8016488e0dcff241a151d5236661073277942f32bfd8dbbce343e38ad9c77d24d5430d9f24c5975aa8296938bec3f3609a983749f772e4896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ed7cc6d909ab24ec6e2dc9c27a515cca

SHA1
dfc8dd8e261ce52fb2377041c4d69dbaacd4234b

SHA256
b7f5776d52b342ea7c1d8ba0b5a6256dbc032f960a95db2aef989d4ecbaa57db

SHA512
f0c40a72bf3a2303f5a5f1ed3947aa0c933e31fd5862cfe485c7c706d371c002c8c3e231ff7e94ef3ccc273b14f6b500c0af57aadf9de636269823a9762a46c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0bc07869a7ffc5b5728744fb2a90902e

SHA1
a2493c6f03c5543d588b2a65a8f14d7557c01d5e

SHA256
b30f629a7c2406bbcd209955f6c9da605038abb4efa88f0e4432c15e3d96d192

SHA512
085fe0cb42c25df327343cfe8b8293cb3e01d1d0de9f8b0800a4826f035e7d0a0a4691d77687e5aba953bd931d3348de453545a57cf1b4ea18e9935638101de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
320a6170bdacfbf9ce5c6d10189b70d1

SHA1
83e0fc8e5099d1a5f033ee59d94ebec1b64f5c0b

SHA256
603609b7f4471555f8b3e9f443c933f5ae12c6fc0f847a40fcd41e8ccdc9edce

SHA512
6c3310c7b9eba4826c8814f1d2bdee05e43120beb4798bb76720e6f8f61a1a84c72c53200f5c255f476fecb4a8fae78d77127ae398c3052336f835c424443be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ff52fe8290db4cc07d0708171e43f5d4

SHA1
571147ddc87265b60edb9075c75f6f48079e1c56

SHA256
7f64f3065124027eee5722c0a5966809d692ac6f8f5669f2f4370ec4151e3dcd

SHA512
e4abd44f35cc0c8f31ffe99fcc08a01e5698d5e24e0678bd316a5e3aea10cbca0b50223c398e0640204aa98ed59e12a7868905f8b7159c1ebbe5663e46d83272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0e51b96f-2333-49be-b5e7-7b03679326f7\index-dir\the-real-index

Filesize
2KB

MD5
1259288fd2cb34623b988b8ea3b2852a

SHA1
4d05d66568b52ed975ca4929064f35f733bec779

SHA256
8f1cd1b5b4f163cb75074ddf9f3cb7067347f17f876995ae2ce73178d43d2f37

SHA512
2d83eaef75f010b3f3ab237ca3c7602953518e913c7c97e4bd3fa0b1b6aa478503e860fdf12aa9b4c28fdb0b10c2aa6eaa1a258f1bbe45fed60df27d519756bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0e51b96f-2333-49be-b5e7-7b03679326f7\index-dir\the-real-index

Filesize
2KB

MD5
769d192628819de46a9f7ee147074a87

SHA1
3704dcfaaf3f646a9c90375b51974619f4e57e8a

SHA256
67305feb4cbbcc12019be76323cdd85b4eb26a57ac70ad3a8b3a844e83e81871

SHA512
129b7b951c5024fe17f098c10764bb7e09b0988247575a5b94129497f1dd850340f553ffcecd07aacd42f4443bc1a1c96c52b8b51611d872934981994f8bb970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0e51b96f-2333-49be-b5e7-7b03679326f7\index-dir\the-real-index~RFe5806f0.TMP

Filesize
48B

MD5
fec71efbd736125822953d19b6cbf859

SHA1
372f9c07a95d14a8e51927ba8c52966ba3dd4167

SHA256
1482a0755e6d7d99f2599caf0081a255ed5cb45fa8cdeca703bd0b7feb550e7e

SHA512
79b3121993c63a2a3c8895f7d016f7b8a0f4a58eb327fdd6f311d224e3e40aa80c410c16af9ab88def15e2914505ff344a1558b56f01e2a115cc340d9dc781b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4b502baf-fb0d-47de-b86b-8ca7e1df2759\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\72d11c5c-4be0-48ee-9107-510b76294859\index-dir\the-real-index

Filesize
624B

MD5
275e329f8e1c362e7b89ce5f29bf4a95

SHA1
d344e00d49a7caaf9f285c72baa53fae2fcd619a

SHA256
9c223f5581f0476f93c007eba24eee2d369716620bf0edbfdc455fedc23ef0d2

SHA512
bbbf83dab7ee9c1e3001074100b6cf340a9df65e686a44cc61c59a8e1cda00800ecc5182b7ff5235ae19198f4295c794da3e4d1bdd422bff2764bd737a091264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\72d11c5c-4be0-48ee-9107-510b76294859\index-dir\the-real-index~RFe586caf.TMP

Filesize
48B

MD5
e6ba1e14fdca70604855a4906ec4d023

SHA1
ec58fafb467b03384079d846b0de3b0a29b4b54d

SHA256
0a20713e6c45c85d68db8669c79ccfc884e14588a42ba639796c6a43d0d99ce1

SHA512
7501cd25dd440580c459922fba30b2640b527e70e88ebb3dbd54d3d66bc8d9a279f57a59ec71e48b87adfb9083bc5dd4cf2a4fba8c68df1d35fec0c78d398339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
bf5956b7dfc587b19fa42da37b9f1bd8

SHA1
176d150b077de03c34e6c3c9a1d4820d51a41e10

SHA256
deccd08593cfb91a72e55e106abf634b19cd762f303b03347a0619a18ef15865

SHA512
32ac256b6cdbb52dadbc636663729cb54f1df43119d4ddeaaea1ba75aa65fcbc583da739c6eb5bbdd9a5728c8f332efc722c0e2b56077f392bf5dd66e306ef34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
7931b2156d8e35927fc7f267dfb5eedc

SHA1
38803eb5697276b69780264f37143fa64a56d529

SHA256
ebf330993829f714e734ce002edef498585f338960e3b67b6cfbc3f1078e2a53

SHA512
d4c1015c72ba9b591f226c58f3aa28d7a5b4f22a04461bc345710ea618448de0209fc619cd154cf53f23d5ce301fe91aca7ce4e74391c9d255c1aedc4effcc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
d033d46fcd4daa79f08905041f258da8

SHA1
b13c118e8fe61a1990c5a281b72d2fb75a7c2e80

SHA256
3e743dbc39b773ae865ed6875b65e5af7fb67dbe0b05660741e7847120eb1ff8

SHA512
cd89613371743a6c3156540390220af5f78ebef06900072fa0aa6eaa76f312938131c260551d224f5858edf7c7f5342581d5043f91bba81ae92e606b944d3c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
94ab8f6db3e9eaa1104119c997d9c395

SHA1
a4f96f5afca9d2d50956b47017ace34ba756314e

SHA256
af758c074cb180e7593391432c1be5f1411b86a8958c18e3adc9c23c73368b6a

SHA512
e79aa1e4def61c94129dd09e831c6932eb3a2850780266025ca678960453a6a0f36eaaf05a254b12dd914b5fb7ac3cb4736addce47006a0c14263feac37f6363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
58f27512126b7829d83894c7a2b5707e

SHA1
ab6aa5a56d0749942475a948d917fc7139c0041d

SHA256
ed462ead14e14b790da815013a5ec44c4ae0c8105d965029726be010be177240

SHA512
550aee77a2a3b801c72a45b7638d92232eeec4e38fc8850fea83222d43f0a57f85b3c3f0e82ea34ead9b4a5df5cb49926e03761198230211ad92c5f4d894fc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
9010ceeaab29f20d45104bafa3f03631

SHA1
e4501a1ee20132543714f961850d9246bc81b69a

SHA256
504d5755e8138f0eddf0ef429b451bc789b13c6815d51373427115cb706fd9a4

SHA512
11dc2b1a22428ff58e7a3bfc5904b0236f16d360c4372c37ebfa0289d348267544bec0a7016c39ce9a6f18413be811a691d8b1bdfb76107294acfc6c437ae863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57f368.TMP

Filesize
119B

MD5
8b8a3b49b06e317221b4efb9fdc7fb1e

SHA1
9f2298f2f6bb0ce8ffa8b5e6f5675c12d3ef5383

SHA256
7818954376d72bb1923c6d02be7722f17ea18979a98a102e79bb8b9ed7259d46

SHA512
13002b0b6fd2fa4ced62bc9add7bbff9b42cdc6844e800533fcf5fe9e93d2cd8ce36d5ff65403c3097063f69e7e656c460d0ed1b8ac0aea4f8dbc4718e022a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0

Filesize
162KB

MD5
5424fae8a477e0e7c2f0d43f3fde284c

SHA1
a902889d7ff4955caafd3e44c296ff6ada033897

SHA256
45e8fc6f92f9b642b06c0b32a118fad06f7d5da458d19e86941834cf8ff1f144

SHA512
400f7ec1dea04d6aadf4508373c8278d69cd4ef4908069c329e80ccf44d744fee66002f5b44966833d2c5aa47602ccf4ae70270b7757d7242ac55d779f990002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1

Filesize
423KB

MD5
ba7ec23fdd50f719719cc6f26606992e

SHA1
bad0feaae6840e138846505824d73e1ad4a12a74

SHA256
7181ea4c580c43df4b53e56f17f9335e099d36493fcac488375a4c61a7d7591c

SHA512
afd8caba6142fb72b8eb861921e6a722ebc2a45e16bb86829e1e02af060ff273bff5234b3f2962c85fd33141a68d1dc64ddc50b1b715d144f2fa28b4c17e1164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

Filesize
16KB

MD5
0e6fe416343fef08ca9cf86767fa90c0

SHA1
fadf4c10e942844f227d204bbbd102c45588caee

SHA256
e8bc4a26c41bed5cad4a4e7cf019ae142a5ac8da3a5afa15dbd3514955373cc4

SHA512
8d92513a2c58e9240178ef58a464f8fbcb5f599f2ab5fe588c06487e6ee3ef35a0639c0905da753a11410f2de952217d24bf0a981e207567bd43e220756d1418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1

Filesize
11KB

MD5
e7d414418831fd52a11f7dad59b7a3e7

SHA1
64872bd41b42f8f443fa1aa242f58c0025fc39cd

SHA256
8513a8002068b38da64d8149b2d59ca2dfc89f4fce944201966a65735fa0e974

SHA512
59364447aeb55afca4ae8b947d826fddcb8521386a215885d218ee72737b30e8a8701cb948a6adb41c3f2213175b31c5fbc32d3a8f54eb8df63fab0ea09bffb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
591a4181304053090b4d54697b63ef2f

SHA1
a56739ff98536b2ff0724e1ef4deb2638aefb6c3

SHA256
ecccd650b6f9952bc05d7b3a787feead39734b25ce550df171b31d933ddfb1dd

SHA512
3591bb006f20bccfccaf648cb7153576149213b7970f17850b74e0a4a5676a5b26f26eca30d4c9c767cde75d89bd1b93a6723d2c33e08a258505a0553090f39c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
212KB

MD5
ba7cfa72c5076f6038cc342e0d7ba8b8

SHA1
6fff7a77cb4a971037f1b613245f7429bf5f2c87

SHA256
bb37b1936f18af46e106b66e76a38f6ca2cdb9c01ffe5ebc6a73932dd22e981a

SHA512
3f23fa32f1ae45d3555945b2dde37960e67df995b5ab0de314ec26e18f34f5df3875197ca27e87bafe86f21110d1991dea6f8d628a30631072baf1976753fb64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
185KB

MD5
e629867fb2c52281c111910f8211859c

SHA1
6c51c688885dfbde1f019262b6de5432b4381c30

SHA256
2fad2a8850f403dcf39b6b9662735702e03941c124fc1498d2bcb1d7b2ed9ef6

SHA512
d714521763b752f07849f065f8e5358da37a47c284283f8663e2a7f512324728410667b576077a56fe256dcd2cbe3e32427957b6a079514c8fb4b00c12488b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
196KB

MD5
f6cf1cc345877364a0395dfba9108a6f

SHA1
0b7e1b70cc4238e96ba3633d94d82ab7df7f9d05

SHA256
9939cb478165155c1280ac67714dead1761ccbb92943df673fca78f5a4ab4a63

SHA512
1716b796dd5cc0d14068a8648854211db2a4069f64dc4b7839a8a9cd2687e2f53188329d5df130a8a2b1b4908be39fa893effe9f99962b005da6d1233b2b9002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
184KB

MD5
fea6be8431c0bab49ed9d94aa2127e0f

SHA1
f1ece61b1c34d03b7160efd05e124d29aad0e50c

SHA256
254aa4254b4fac9a519aaf573e5a8c112a5a0436eb86f715c6ae054f4eb10893

SHA512
df1956e42e7e4b130f0d6b0b3cba6a866da85481f138abd7aabe30a1f30f7bfac64e2ac1809c5f6f80444c6a5d28f8d5204d4918b7dc27593193342d0d89e8fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

Filesize
201KB

MD5
97bed3c50e40b6319d48a589fe6a68a1

SHA1
7e4879b446d2f87d39e4b56026d00f541f478d4f

SHA256
fb2ad0f8d76c7db4ebcb10e2b3be55ba5770bbc7d98d52b958ab465bafadb46d

SHA512
d9cb78c2de867add97d0745a44b1955e7b9811849b93720618fac8e503a257d7c79eca4069a8d9b27fd3793f40fc71ae01ee6538831b1da158f04a50ab1a73db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
193KB

MD5
35c7410ac8859217bed0a64547a87dad

SHA1
cc04fe40f515cc4360287102c3b292481a16a754

SHA256
96abd2226d1a0cc206b158efd4514913d409d6c2889a053cc2184c85dff79d37

SHA512
096b5a3c442849a31dd3b489a6189f085c198449f0eb449b7215d181402793dcaf51ce19555358690977e412166ba24bc8a024a0564e0102fecdb8160531bb31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
189KB

MD5
6b39af641ac7f4d752a106b94df61b38

SHA1
b483bd5350620975adf158f8f63957b7fcfa150a

SHA256
7f972da9efa4b7c7bcf199f384913a2b3ad6d4505c1b6294a6927f5469973b3b

SHA512
558eb25636e88c5ba7a6ae7fae69cffdbff3f43a81edcbb3d23d4fcd3e28c8840dc75dd2b8412dc7b9e57b74f6b38e3fd10a13fe1640dc2cd9699aa7b6b73e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
208KB

MD5
9cddbfad53b782de6513eae366fa73ae

SHA1
fd3f4b95ffc4519d23f377de0a8d099dd5e0f26d

SHA256
6edee7ee41d4d9a807cc8c7d049eed27126cec4b07f229e6fa7b9587189ac2ce

SHA512
87f13bc2c8cae2d89fe7f80dfebf33aa12506a4ce592336498155c62ba87bf0ee5399e4a8d11ab0295bdd22c5f787c3e6681bd967e94c4b0d088261278200dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

Filesize
188KB

MD5
58e2527eb7b93833884cd0bcb316b317

SHA1
c62f5e4a1d1dfcd017e69ae4bbd34c1dd3780c74

SHA256
5b1cf55536b75525e75ec73dd87ee8c950a7e384843827eeb1e1bdfb8219fce6

SHA512
0ae1c4486806f64a6bd944836018d49eee9d11e3b44c03a15e61994e2c74af2b5c6074fc3efa0941df8e052b05834d0fa166bcfda69dfb46a8c0dec0b6cc9656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
200KB

MD5
d111b1097d1cd8c1d9a2bf0416453706

SHA1
954b783b0f194c3c31b67fdf8090af46850dce1c

SHA256
5c2c569abd8dae526197c0d44a30022d6790a8764d93c5cd5ae06eaa86f81ed6

SHA512
933dd42ffc7e01c88b2985557711e1fc6c26d49a1dd77bbcdb5901751ad5eb41ceede4b9c92124095650a0ed18afe1cf22c1df693d6414f9da3a6445e9ced23f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57e60a.TMP

Filesize
140B

MD5
4df28bbc3f972869b6195557262d09ce

SHA1
34273b0bbd9456673d3c7958811d917a95bb7dfa

SHA256
6b292fb3da52f98d2984dbb91f7bc0609477e50f54498b77e2e4e58649a65d1e

SHA512
5305d52cb824a1bd69f36d0b6f74f1d6720c5fd57565a55f37a0d0ccb770ffaf3b344dffeedf5af47fd7be7ac97ac75e09e18b97447a1d5af68831fed573e1fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
13541ed30e10585ddc11740303c4c461

SHA1
086211a962ea0c1171e6865806dc8606de869454

SHA256
87b12dfb5be3f96ad9956c928255bacd6c4d36d1a5107b20cee08fb9dfa2499e

SHA512
04a849379fde71ed1ea407a05ac1f65f65faa3ac65aca2f4b599d51f071feb766aa951a5ffa249253e1a3730982e792b06c7a27b8711a3ac53b21806b7680b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8819da784b7ea9bbc3178501ddff1cb1

SHA1
52812f17958346547354e4052d6fccf21c6b8f50

SHA256
fc05c244c8919e1631dd93be28246530277d03975e35b23a99ab3eda70fee591

SHA512
97b930b00dd5a36359996203cae0d7caabf6c05ccfcd4ab40747faa776bd844336fb05f14640fbace4c67d9caa8f7d123da902c41a89717204b28a6cb5cad5d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
f2028cf02b45fe90533e46074c108c6b

SHA1
1617110a35d0e162c109a1fa68502a3875fa72a7

SHA256
a2611e09ddfbd6184aea7f05d684712810def3ba674d0c257f72e5cc974b1262

SHA512
47abe2eae38f436e25dda563ab58d56f5e9fdcab79a60f5f8b1e71334ea5df5864ad6702b0f77841ab7b9d180569bc666574e88414356daf499b4d9f05a85f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
194KB

MD5
a9261f43b9ef234a4fb27bc99d35a680

SHA1
89430261dca950f039238c171e8b01fbf4e62e4d

SHA256
ae5bd44883946029438c302785ddd3c287cc66a479e2a4859d980f590707145b

SHA512
477600a92319d86c002366a867518effb4f451160249c339afbf273787f230eff251c5a4b9d85a1abcc2c116732decb41d8271291a550cf97bb62a9a99315ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
198KB

MD5
d5c9d4fb00fd5778f055be3c9439d655

SHA1
54a676494e72c5764c926956dfed72c07e3b6e47

SHA256
06b92a43ab6f0d9f14c1c328a41bf0d19b30b71395c9221dd7a54dc62fd5dd60

SHA512
e91fc5790da9e30cc8d67987ca2291242ef67079b54c84aaa53d90bad864753f06dc1b63ecfbfbfc62e84bee1f947fd8f9452d0d30f58f2dfd63e2cc563e8151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
207KB

MD5
b4bcb40f5c959cedca63f8044b7dc1a9

SHA1
8259d709b5f019c6816b2fe5bc070c7c36c15e76

SHA256
18a673eb5df987247cdcac6d4f9a5fc8105ffb945b8eae835827d571b076246b

SHA512
b620c858f1e1d696d35d67c36428b12ea3777cec7fe4a08779980c6e62c0c3d4ee92eafdc00cfad8f4c6ee6f405cedf2c554dc640b2b463d22c4f3b558fc1bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
195KB

MD5
bbbb8ff2fffcb03789d27accedd6f56d

SHA1
749ae3e276505f17b808456949c7bb1a99ce6f73

SHA256
8f23387110defa64efc5040c6ee455752f9b3ddbbd2bd11e8d635108710ca931

SHA512
467c2fea5933371fc1da23820942699d215e10e1f5d3ddb659c4a640b4d6a7aea1ef679bd7cd680671fe5109a7c8836b63bb031b519d1c965271c3b1ffc18e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
193KB

MD5
644f7f59786b07eaf51cbbd734899e5b

SHA1
a07a4d4cc6cab913caeb3da7881b979a7627c862

SHA256
8b890e3a9c0312bbdc55422c4c077af4f7618dd8f227e354631afbe4d6532a14

SHA512
f8395a1afe97ef2f4336c76af98ee582eac2f710af95c05a509668ac27fb81fb0aea4e6b4142736cf396e616fc65c58ee8c9770e0bb3040bffd9bd5e0f2da683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
201KB

MD5
1ebe0a03dd725479d2ec64194d7a8ca0

SHA1
0de6db6f2a100a112fcb7404d2dab2bddcae952c

SHA256
7158d87898c1552b5faf51651b1cbf4aac68b976f388f323f078f58ab7499c2d

SHA512
36673ba967ed4bbba30243c2174369169f3b5597318df37305b6855235ae394b46e73234ad63a5a100cab21b408dd19b9afa2313c8ce198c2cd2fe5186c18e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
202KB

MD5
91100ea8a691a763e8890092678e538a

SHA1
3868d3f328ce6f7686aba1c22780da96906b083b

SHA256
7af24037b017aada190ccba2962276c864f2f1b0be060ae6a69a52231e38a34c

SHA512
28fe33f1e1ca1408d1fa31c829f83bb7de5281c8db0d24f5351842510c4a888a36b83904bbc1a8551f9c50fd4711a24cff19814a890a36726ccafecef27201e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
196KB

MD5
0a12fee96553bf605c494c2d29580ec5

SHA1
aad05305a980351a7910f45433c8569049d12297

SHA256
70452a9106a2985122eba03960211996f257e5ac8c67cc21d6417ee7f555dc75

SHA512
210c90749aaed5a3ad1f0f63555edd7f12f56c28f11a7547258b87b900242b9f7a44d575f8fd7a747100f3f335ca10f6d061e2493d8cf7f61a9d5937e2c39d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
184KB

MD5
52a22c8209eb2ea1e09a5c2cd3e4dead

SHA1
3185d67608f0f7b7aa3ebee5efa3b5a435c93897

SHA256
5415f78a2d23149695a96a807c12adb25e86241e7a0c8ba52f59a55b277afbe8

SHA512
87a2951dac6651dfda040318c915b65a82b42109eda742d41b40605cb3eb355ef67734a5e609a49b9b13cce0e8f51100068d8aa0cb7b74ff379b099c8bf64123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
200KB

MD5
bb70c0ee0ad6ff9decdb8782ff7d0a9a

SHA1
01b4619b9680170a96c1e6824a2908999d178770

SHA256
54c8b521838da08d4fe786f9b3427f0ea7df943ac53b7b18eed95a3e5f85d937

SHA512
66f022115aa97bacc0ad05532f1f83cd6142dea9413ee37ef0c00c910857778f3cfb5837d65a69a80e2cc410b7b63629ecf24ef38f69292db1f2aec591d258c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
181KB

MD5
4dc5e581ce8f9c4ddffbc405a5b1aef5

SHA1
bf74fde0d135edeb58ebdfe518ce3273be54d569

SHA256
0a094a6bad488963171453c93485dfeb8dcf25e587b47551b6a07dc529cdaf4d

SHA512
028af09d34f0813f79ad3c659a9d2250d731afda10a95e03642bc88a46b8ecba7fb858fd648cabcb8e36821eb181222b60bba879da4617be05387f3b05b14a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
f405a3fac979371077c360b317edad6d

SHA1
102d8168b001bd44eaa7fb2b833b48b6d65457eb

SHA256
43f6bbe4d907ee92cdbffb48d40b88876827c498f1b3abb4c185f0027cb34023

SHA512
28699a18b2c1d946e0cdfaf6e284cd630172139bb1fd95c2e6db3fdebd59266c753bc0e4e55481276cef19331bf86ea40bdaa0d2bc3aae39bb5e157bfc79fb73

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
183KB

MD5
eab6266ac6e634c73f99777d9f99ace9

SHA1
e56ed0caf7995df76b2df6ebbbb4a17d849310b5

SHA256
57e10bfad65c8293360da5f6e2c408ebc8f9222807814ba27e7c763ba5f72689

SHA512
2fa80646195bdd7a353773940f4e45b84d8de9470204b51d2faf4fe34dbc7f521be50b9fae6ebf43c24aa1e17c01962c737822c7dd34db2e209cd5c9ce28e505

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
182KB

MD5
9eec997f699646100870e01c3b25c083

SHA1
e7e4d46748c4178b3a3ab0a06c19301c7888c748

SHA256
a68c1f5e47025fe845cc5fdc0e200b3625a11ab2a2080e85dba89be38400f567

SHA512
14064b935f7318f4b37366258d68e6cdb28df173e60c1deb9735d80735e23f6b2368d168545dc8b310f66793bcb22452c29c5147e14e5c0ee13c720222458d50

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
4d52399020a24c1f6b4254cc7252504b

SHA1
2afe0c8994c64898d5fe16ca68811438ef19b0ee

SHA256
e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7

SHA512
a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkgkYQUA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Roaming\StopRead.bmp.exe

Filesize
697KB

MD5
0682f18c0000c62f50d0ba67a769f4a8

SHA1
9398eaf5bbaed67052ee1f2bf823649794add2c5

SHA256
e9cf43c9a1caefead9a8595b59e1e2a6b1d3800344ab2b17509a080b3a402e96

SHA512
4dab0f92d03f0d67d3c1f64c45c42341171ba5957b64a87421125cf40a5d9a24e1c6269d30e322c8ba0b0b5df6521f2c9a653eccf11747c73869cbe2d5d647c7

Download Submit
C:\Users\Admin\Desktop\SelectGroup.mp3.exe

Filesize
559KB

MD5
2c41469986519a4d43dcb3f9fe6d0027

SHA1
2a1e77637d6d81feab154d5b3e95e82bb144e556

SHA256
061756ce803b74f58ac7457598a7edadbbb905cdc6d81c99e5ab7bd01537c534

SHA512
95ab7b852c97d68288bd36dec03512461d0f5c6b34adb791dfdaa0a0dfb9a0001fcfa699541dfce1fd6ba275127dd0f1dfc542ea7f09ee7084a8cca4a274ec35

Download Submit
C:\Users\Admin\Documents\DisableWait.doc.exe

Filesize
1.9MB

MD5
2a8db23ac447df0629671c542a8a2152

SHA1
53d8efc382b623f55bd921e4c02cbe3cd1a89ed7

SHA256
f4fa1a966895559b04ca5c78b15ee75d76e5ab9dc669f432ec189d2cdfe2f41d

SHA512
fa2767735ce6278520c8ce9402ddefb62678f35bf3d1c147fd14f828090b6c621f3e3bd3b3a96bad913d31c8914f309fea92fe4ef4f159b5e5e6c840b1e48a5d

Download Submit
C:\Users\Admin\Downloads\AEIS.exe

Filesize
308KB

MD5
2bc6c32007350f6eec44851be14bab36

SHA1
dd33f7f4c7f397a93ae25b77c354bfd16186f8d4

SHA256
07b759b494fe8e2daa90936f343a5a5a06a54887b7b881a6d7ccd77aea172c96

SHA512
83623603651dfb404851cf60ab4e6ace26d4f6f88c7a24df4b9e33600585a06cbe607681cfc6a684e76430f39115a4ba3f53c6f257ae4097a3f4e6c8e062b027

Download Submit
C:\Users\Admin\Downloads\AEgO.exe

Filesize
183KB

MD5
40118506523fa102ef508c53ccc0b8b8

SHA1
c9faa149cc088f1a2abd1e2e8806eb059715f894

SHA256
dc7f398e2ef57fb0b0450e291caf31d88292f75a6eafa230cbb56a2544161f3a

SHA512
5c6b5d9eb4c07af97a84fbf2c38022065e1331ece8ae78198e8519ef001d6c7518804a55148b3d27f9593871dc516b12003106253a8f79493f76ba1d4220537e

Download Submit
C:\Users\Admin\Downloads\AIoc.exe

Filesize
225KB

MD5
247ec81807dfad890f7a42603beb291d

SHA1
3d0933c2849caa45ccc2e23974dc1d9f5c90744c

SHA256
71aa298ab54f45b801dc8e487da253171bf514cd8a55ebd70dc00dbcd5cfef84

SHA512
04046ebc0983a00e27179307816e1bb4e8e7af3387d66ded614db17f00f104067b27418e11a5fbc27c253500456d5550a5ba1340879f5741585c6fccfb805667

Download Submit
C:\Users\Admin\Downloads\AYoK.exe

Filesize
638KB

MD5
5261733b9269ed2496e66625f456d4eb

SHA1
bab154674e4491922dcbf2ac4a36e162bc052402

SHA256
d8a478322018333824c504fbfc72a345281b3106270696fcf4a98200c19743f1

SHA512
b557f6f2cc743afa18e3ad3e65c85c3c2321795f38644d066f2b9df6abf5fefdd7020c9bc17b7cd99d10b3393fb3530e5c83ce387dc3641f4c1a81edfe7ddf61

Download Submit
C:\Users\Admin\Downloads\AocK.exe

Filesize
309KB

MD5
e80d7d6adb05fe201c759b75e52fe443

SHA1
b8f1b6da41610d5927914219cf4256c8806a0d1e

SHA256
50e3e48979cd17284ec8f81ad0854c5ac441b8c66af554a4c422c83669764400

SHA512
7100edf15f87a0ee7bcf41c7909493270f6cf128ba7b245216bc09825699b2835eaae1996027e7a488c219cecbb236f2a533a2e0e1f5955fd6b797f3f035f91e

Download Submit
C:\Users\Admin\Downloads\BIYu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Bksk.exe

Filesize
1.8MB

MD5
93ea302b34917bd461373735d2c18ecb

SHA1
d74be7f29dc10bacd5075af7c2ee69529654986c

SHA256
c460dd987bee0d6de31be8e60ef133b04fbaa8f3db2c6a27616a69a4ba8399a2

SHA512
378df3d85d09ca87393b6c2b1d76508bb56394c39c75627a9c46ac9ae32a0a319632e3efc07c84ba747e1ee15f2468ebca966c4eec6e055e054653c2c20692e0

Download Submit
C:\Users\Admin\Downloads\BoEC.exe

Filesize
196KB

MD5
2047137745fba78613dd06adcf899285

SHA1
d91eef35ea6eb7354ac3015f82a36d4d49ebe4d1

SHA256
928e2ee7daa6a8bdca702fe152df297ef167e3083ff0413dceb340fe64a85d25

SHA512
0864c982d2fe70665d0dfcdf0d23f96436bdb3fc33e0c4407f23f41787a6c1a7686333380d8847f036aed973dcc2d70611ec13c68c67609a5d0125d6e72f2bb5

Download Submit
C:\Users\Admin\Downloads\Bowq.exe

Filesize
208KB

MD5
c0a1466160cdea7018aa4491fb25ca02

SHA1
29414576ed3f86baab4fd8604fb42a583f456453

SHA256
993e0a0850e895167ca94103d432ce35412ba31c3a046f736d4537cb0d5b35c2

SHA512
85ede868391dacd88cbd9ec53d5c8a032e6b627282f82db2ee5d07a14dd7d0840dcd51ebfa6c6da7563c9d066d0f69d3cd47a2fba68d13f9b99d03282bade0fb

Download Submit
C:\Users\Admin\Downloads\CIwi.exe

Filesize
522KB

MD5
d8acfaaa06bd0bdf16a4263b12767827

SHA1
4f7583a18342b1ae27293141e0fb57ea61deefd9

SHA256
df3ca37418f864de43ea58a2985fcb3e1c3df67bc73b2109454b867d79ca6a24

SHA512
9aee8ec10460dde577724b0f476b326990bccc49d3926a6ddcabbeac15c49993c498a570e75b23caebad8a20bae700976c7343b8e0562e32afb1d604be09efa5

Download Submit
C:\Users\Admin\Downloads\CokO.exe

Filesize
183KB

MD5
10bb4eeadf50ee177d5431f84217f3d9

SHA1
386048895b0ce1b32c9843a20666197106f11e9b

SHA256
b16d70f1399f7e576c4f0675f2b211e2a2ff2b97bcd890f3a7a7e908a0cd0ff0

SHA512
181e1a560f542f995ac40b1c033ed21740bc25a0d3a1264de22bd5307943d6d96681f9a6db36864b3de61f75630283ca86cb69ea58724f99727529bb09fbedfb

Download Submit
C:\Users\Admin\Downloads\Coko.exe

Filesize
1.2MB

MD5
aa889a9f90067ee3f935c66ed0d0680f

SHA1
416d2571be284acd6ca2057938e86fe780a0f66e

SHA256
5f557ef65d477efbd9469f904b178a78d3dda2454da41fb21f96c49d015dae43

SHA512
ccee0d623eba673c395e7d89fe4c42167527e9150d310f7a82b5ccb1a016e0cff5aa857418e6ec18f866b2086a0e81ffd9bd15c2491b6a8bca9505c2d2bf4404

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\EQQc.exe

Filesize
209KB

MD5
262fc105589c3601e8c3a2e50abf5750

SHA1
46d4444ec3897089f47fedc2ed067589f102d6ae

SHA256
741e31e6ad4984a24c9886afbf52901db0a526b7b8464ad0abb5cc34181bd71f

SHA512
0d808e4634199bcda7bdb6ebd7ee82a7d3b931d25473c6f20678d64288255ab7591bfe8b9fed21eecf6a0eaa5523cf7fa2371c6537c5fb89358fe41281c1b998

Download Submit
C:\Users\Admin\Downloads\EUYY.exe

Filesize
777KB

MD5
46761985f240b0c173aa9896b622dbee

SHA1
0b297f92c3f52b0285cee98edb83382f335da959

SHA256
21af11c52565375f82c1d03a612ac70379cc393fd5f2c3af7b2e7dfbe1eb95d3

SHA512
50a64155b8a83301e7154b6e1b1735767be3d911357782993f0d6eddffef9a58b260eec1923ff6da01b151eacaf94b5c5eed716e74d524b9135c04e1871a7cb6

Download Submit
C:\Users\Admin\Downloads\FAoS.exe

Filesize
196KB

MD5
07f3a14ae5ca040133d10b574a39be34

SHA1
04e8185af0532ef92418fd4e950d71d913316369

SHA256
f1c231c97ace5e763063f2239b1e86f18fe2900cfb22fbd31b967ee78d34c5c9

SHA512
2de5e02bbd79f33989e0bb89164c6e85e3ff181c935272be9d25aa4902100f950ad521a2f6672ec38c409428af073c2070d3e5c88a61c8d3138b3631cb3e3427

Download Submit
C:\Users\Admin\Downloads\FQEY.exe

Filesize
745KB

MD5
bbdbcff72b5c28cab627aad2fdc0ca03

SHA1
c32c1a52c87390f4777f17c73c71326356f5988a

SHA256
32578991e53b9e3b8d48f056f07eb7372bc3bcbd1a18943d837f286114d2d07c

SHA512
2c7415e14dff94dc2d84bd9392d07b85972ebcfae95e5c9cfef0a0c6e644e645c8137f4aea95fe2a051230434b50f8d4e41e0a6359dfc5bada4209845578a2d4

Download Submit
C:\Users\Admin\Downloads\FoYA.exe

Filesize
531KB

MD5
6783a783da1e810f957312a357e54843

SHA1
56ea3a466c9d3a23456923c07a2cfcdfefd16a37

SHA256
c008f3304dabb7c23ec6ef42ac11ddf8bc5b54fd8639bb0a4921659648f49a0c

SHA512
fb436e2c6c0d19aca6258539bcab5ec81b5bbd8a47beb1702a0ed190a5da5c0240abc3840d29a22a4b3cbeed4184345db6aad43bdd9631f1079bbfbc6c749eef

Download Submit
C:\Users\Admin\Downloads\HEsw.exe

Filesize
710KB

MD5
bb24958a6ce83f748e27bcd2af487463

SHA1
684ab3a10ff083435b9516b9086683fec144984b

SHA256
4f492eddd98d52f38257c24c44d1fe38a2995b08b4ac336030c7a716beacc268

SHA512
43bd7af8cf637a90280f0c83079c12f03f65b06c873ca276d16d6a6f93fb92c218ef28c303105e9d3ccf16f28463ccb6837c97b0bc2b74dc3b6f975a0e13a625

Download Submit
C:\Users\Admin\Downloads\HIQQ.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\Downloads\HQoO.exe

Filesize
209KB

MD5
f50fda49252234a8cbb6be9f0e1f3942

SHA1
af81851d4728f4bbe98b152f078dc0dbeb7f7547

SHA256
5387a209d8d6436071e05bdf724754fecacae8b9cd8294212892b1d6a9abee5d

SHA512
c6753be2427921651fe150ec749e89673d76a07e3c11f8b133114c7b986602bc337905f9e00516aa804c1c9c1540b98cfb997cc3f77349ee5ecf93a8749e91db

Download Submit
C:\Users\Admin\Downloads\HsQy.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\Downloads\HswY.exe

Filesize
202KB

MD5
ca2cd032f305bbae76215088471f8382

SHA1
029003636eed17afe4db6ce3c8d194b952165b15

SHA256
2a3fee42b8a6a9dfb35d490f1c4a41d9454b56753ed899c540c2025b03490fb2

SHA512
08328151212ed5f60bf35da3521d365d17d5c67552bff0b6fc580060bd71a41de21ad8d29f91f03d729461e5e4aef6b901a207f292f6d6d7dff1f6f195e8c1be

Download Submit
C:\Users\Admin\Downloads\IAsa.exe

Filesize
1.5MB

MD5
5ed8bb9dda9575d53484db6a5a1ff875

SHA1
10604fb684020a570fb7ce56bf8fe54bfc36ae6c

SHA256
e22541e0ce4ff8a0d0f87ff76a2088431ce79ec3a919fef2e4053b4252d3377f

SHA512
12167cc4f726c48be8bac029e38e0e2c4f87b28870dac4f02a46074a66ae6725b45d03228f1b9c1e9102ad63350877ede2d22d3454d21dc536c52d0578c8f22c

Download Submit
C:\Users\Admin\Downloads\IksM.exe

Filesize
874KB

MD5
f974a0ec4424bcac92d673780436fe9f

SHA1
0031fd23b3586af1c4e456903c3adc46cced5a09

SHA256
6274a32bbfacb2be57457a86a3dfaf69e5899c7a8fd43bc96eea8f7b604a608d

SHA512
0ebe48cd6f85f55b58e5d51ef8965f769a23622ede7ffacb03240656e430aa2b9e5190d61e04aae1e2758b66259a87cc9671efc9720bf0706f7cde051f160337

Download Submit
C:\Users\Admin\Downloads\KEEc.exe

Filesize
192KB

MD5
80d3b865ecf482597b05a4ba255bffd7

SHA1
60d956f37906352d456a0a6185bf2fde8eba96d0

SHA256
135441988d58fbe1aa53534f5599825ac32b6476c752699e7b7cf1fed80bccb7

SHA512
7f0dfb6d0b7c3f738b978f8f9e7d86c5ed0d1ec14f44f777b5b8c0b056d29b57d92c0bcba3497dbdf558635628651b8681686262200a7b9f6f7bafbb1b47b528

Download Submit
C:\Users\Admin\Downloads\KwwE.exe

Filesize
222KB

MD5
ecfbf75be24755db77489c6baac2a919

SHA1
95ee6d5f46cd41512f87946250196f07e65cc2e0

SHA256
9085f4b06b9c83674fb25e6b61c84d41bc32c6d20f17953c957b64ff938b3251

SHA512
c9954a09b9ed37599d4928f3f1a7d1322cdb7ad378383ec89d0af9d8d76bc692378b5edfb02079bf132340cccaad0727737363a975f908e09864ea7b6281d8fe

Download Submit
C:\Users\Admin\Downloads\MgEU.exe

Filesize
961KB

MD5
80ca5470b62ed8099f8c72df732cb34a

SHA1
8b66bab66d8764f251abcc525c051e48707758bd

SHA256
74b2dc0606195180f8b0de1f6563192044d4bc05ce66eb1ff42ebc49ea50a8d5

SHA512
f5a3edcc5c1dd6b6ee745f6d73e802a980b86d269fc5392df857dcd10fd1e9e8398d7ed21712f445e19c0275194055d7e14dc9608bd62cbf0670730bf34d0cab

Download Submit
C:\Users\Admin\Downloads\Mgos.exe

Filesize
799KB

MD5
56fe5bedfe43d7d413c28f5baf8c5047

SHA1
2896e705ffe47391fb0ab55c9f672f562bcea652

SHA256
b964f3b3974fd34e1d14c2eef44b4f9163ca45c09d886d8157479fd5b0fdd8ff

SHA512
018b3993db7cb2d2b8d3239a315d835c605c2835c8e91a6f302e72fd75faac010988cb7853dae68fefde2a547f98f0ac3f5884bf12681d4286b9760742860851

Download Submit
C:\Users\Admin\Downloads\NMMg.exe

Filesize
194KB

MD5
ea96f8cb694bc638581f49295914dd01

SHA1
7970f1cda1d97b202e9f62ac5d820b26aa175481

SHA256
c23bdc498bdd76936da3ac6b54674d3d0e185914a1f435e6cc1bfcb4d80826df

SHA512
c912ab3e3298bef162ac6d2cb198047ac1821285685a766233fa33d808fe5dc39fc35a36ec063bc2fb652729e649a066fcd6bd98a13f54edafb816707dce36ba

Download Submit
C:\Users\Admin\Downloads\NQAu.exe

Filesize
212KB

MD5
cd198cf4fd44a526f84ef4680373fafa

SHA1
57283f36bbcfad83b2918c0dd644d6bb3ab62ea1

SHA256
f3099fa171623482542141e06dd7041f656c6d9e516c1f31eef5f153f8bd05ff

SHA512
e5d39084b3825dfd3da6d38e7d66ba7117b2fa90160f9f0539e00fe9261f7af73d649b7539c1dea613f0da2ac6799c6b96779b62d2fc6e55ecf33db7785f2f83

Download Submit
C:\Users\Admin\Downloads\OwgO.exe

Filesize
552KB

MD5
a5b70a9627f76eeb976b6dea3694eb08

SHA1
66e08e825e04ebb96799288f33b922ac199d83c7

SHA256
4e8cf56c5a0f5059179ee713b734e289074235b0887a399280d0df71368281a7

SHA512
5117a50ac751df99630f33caa52e4f3e21152d96dfcde9be5e31e1f702afc297a8773b61cbdf706fa84661ddf8cf7bda484588f79f1d22a1d9bb491aa6b67d25

Download Submit
C:\Users\Admin\Downloads\OwkC.exe

Filesize
193KB

MD5
9fa9e84f692ad14abb975956c0ef5f55

SHA1
629cac0933c03f4a0dbcc34da6cb8a199b07fbf4

SHA256
12cef138493b588041f7d8005ea9c7e65fba56047cd3b8f965192c9deeeb460c

SHA512
19d7603abc4222ffee60fbed2c1bb0629146cc35d10811fcee9b7b70b7ead915d6d1ce1f4f4a1cd260d1b21b7fdfb930d99f3f9dbc9f7adb6592f48966aa0d84

Download Submit
C:\Users\Admin\Downloads\PAYG.exe

Filesize
1.1MB

MD5
26380285a744464647532e434c0926b4

SHA1
d5cdb3aeb1b301332b29fd6730e0e5e53d456e59

SHA256
f699d0eb29e9f64d3a7d9b68718087c0b097840b264955d7bd38517e3cb8a70a

SHA512
1b17b56bf538a0267386e983c48e40d1e1252ab02f3c8125a169cf131df56a00a655301d2bf73c1b4804e40886f0d50359e650acb90e05f133f977919c1ac46e

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\Pwoc.exe

Filesize
788KB

MD5
3e2b77109150d8dc336f5621205b80e7

SHA1
02c11044ce9752862135e88bbf1d29e2b1a1c112

SHA256
17b9039f1cbdfa0f930d58c92461c0bcf02eda5a83c9f0cca585c43f7ebcec81

SHA512
a4379fd228632efd1d95252b67a80a51447015d6bcef8bed711d1ed62b271faae7320590895fd37b71ecea029bf4174e2d63cd902c9227f64ba2c18025d0d32a

Download Submit
C:\Users\Admin\Downloads\RsQk.exe

Filesize
232KB

MD5
702d50e0facafa83cc361c891064f9f6

SHA1
061e3e6053f33153d62773345a70958b5f481764

SHA256
df90057056e2b0c21980f4604a2d65305979cb66f7c2f0f8e7011e70190efd68

SHA512
59008d0b6bb387cfe044dc8debf51f65c6162b087aa86b9a5c36be0a8d3f994537bdfb905ed6a9b925d5a7ea1c589789d4fd47e048c30107725a6ce1b9168009

Download Submit
C:\Users\Admin\Downloads\SgQi.exe

Filesize
202KB

MD5
0268060fd6680d990f5b8addf8d65337

SHA1
d856b0f63288bf06bec871b391e2c8b9146e093c

SHA256
38e00c3560b09ec3c1f443e08d36e966474d396415135cd719a19513bb787bed

SHA512
04d5948ffecde90f7a43ce5f7aec0f0dbf4f20f3f813538f856435d366e313b9aa806034ef42d4c6d7eadef6e2cd9243253274046f8eb868d5658978034c5384

Download Submit
C:\Users\Admin\Downloads\TAYm.exe

Filesize
548KB

MD5
4f4b5564c7c981897f7c4bd57a37efaf

SHA1
5f1e5f375cc8842c5b902e3899be585cefd8deb3

SHA256
4c0351eb09fff7327f23ebac476bef42db31e81f40be6f6a716970d7c2a4e84f

SHA512
81eb199eba65e3c4ae963929fb056e3faa6a439b7ea68050d223026ee0f290033de9690422efe0c1d83917d74478a3d6e4a8ec9e376bbfa6aea0991f2b46d85b

Download Submit
C:\Users\Admin\Downloads\TcIm.exe

Filesize
186KB

MD5
949138989d6bb0b291e9c39dd722757a

SHA1
0c87aaabbd48fcccc9328534fd1f6c4eafba0628

SHA256
f2c868321539c47a2bf99294afcb7d089f9f2f58216753cf1af1a8ba1895e9e7

SHA512
76a01b0c9d25b5b77c79a0249c5ddd72506730debfc0d5140219e02f3cfe725ac888b20115459449e3e3b22109f81d96b1cad8bc4b091dddf8e680c92a6a6231

Download Submit
C:\Users\Admin\Downloads\ToEA.exe

Filesize
184KB

MD5
73a02b92490a4378e0bc809a2e5846bc

SHA1
687187591cbede591d64f52e2d00dede6cda352e

SHA256
314fb87b972661945646b4b9a3fa0585688f2ffdc8d522b2b2683bbac21a8a4d

SHA512
4742002709f53f734a7851a3faa855a40db2a8e0ea98b4bc5705d5f1f518757fbd97281165f4630f8745d6ae20b1aae03df31ee680e6a8419b9b728d87198c6e

Download Submit
C:\Users\Admin\Downloads\TocM.exe

Filesize
212KB

MD5
9cf3cd4a760feab5a47bf53daf9f4c27

SHA1
09286768e1744b9d6bb8aac5db1527d648583e9e

SHA256
007d482f5133aae7acda8af116ec81526c10a3d698c88ccf20499b307202c138

SHA512
1d409e4f1611601d5b08abe4b463001bb2c814328b23b2a27f7cc17afbb33f767fa303d057baf86f8495b3d22f746cd8964355dbde6e4f8a3e31d90b05a24e88

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 438301.crdownload

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\UnprotectFind.mpg.exe

Filesize
823KB

MD5
2a2573d8a7eaa6ace790c438f21b97a0

SHA1
37ae8f2d73baa0c98229a7afee8ee8c8f1beeb13

SHA256
641b786ab0add8da8829c7eef43e25ce130e0e62e12f7d7e6d2dea74d3fbd2ff

SHA512
e1863b034eefa91bbdf2feb3b4c381cab25a6346b9e3f5d1a0a11daa3fcdb7a3dfdf83c0913a8933a584f96550aa00034fa191d2ce2062011c440f66ee6aa175

Download Submit
C:\Users\Admin\Downloads\Uowk.exe

Filesize
190KB

MD5
bc419e56ebc773563c21aef6e3c4a82b

SHA1
6b4b1a4c2aa777f4c292f72549c1fc26a3d96610

SHA256
7e89dc439b62eaa4fb41e5e54f323dc4881dd74b0aa42092a8aaa1dbb8da6063

SHA512
2919e48637e6e8ad146a21f069c5db0a89b2c39c7b63eb1bf47cfd663abeecd6f4e9b2852a8c421d41e620ecd26b2dee4771d1bddb0887e6b4f1a9b17ea99f37

Download Submit
C:\Users\Admin\Downloads\Vssg.exe

Filesize
203KB

MD5
548e88569038c60d5b278c8e2ce1f57d

SHA1
99867029a0126081395e7b1267bd157f75f75bdd

SHA256
787ccd058199aaff378de7abc8167c29e6c912dc66ff732db8f55099703079ad

SHA512
b8a7e791f8e460ae53f5cf3d85ded767fe9dad6ddb81a7eab0daf41fad1167776e3b0c22f71de6668f2a39fce7638e1b30f20ad01259629cf46dd97373d764de

Download Submit
C:\Users\Admin\Downloads\WAkg.exe

Filesize
817KB

MD5
80719c372f7723b6cf91f15895eecce9

SHA1
cd4ec7f056aa8635fbf0965ff894f84c0c47b99a

SHA256
afb9de15931e6f9c59b727a05bb1861579e02d7e54e543175d9e826395e99587

SHA512
27366838f60772148a5215fda068ca352f9ee4ce77f1b721e6b71270cbdb3a438b07cb256d93730de4002e8a14a59f170626d4b89792c77ad1af244ce97f3fa5

Download Submit
C:\Users\Admin\Downloads\WUcU.exe

Filesize
203KB

MD5
72ac1ccae6475d70885b417ca2839138

SHA1
2a516e6cec85b3beaf27024ef4bad8186f178eff

SHA256
1346f6f99b6a31399619b549c7d30f32dbbc1613fe491e579486cf63f3544d44

SHA512
0e2995740621fd970af461a1feab5ac98e110fc400a87a1028a1022781742b2f7364df71d731d53ff05f93d64b2fcf9558dec9a159ecfa9acc9f439949ccbf09

Download Submit
C:\Users\Admin\Downloads\WcYC.exe

Filesize
644KB

MD5
85ecffcb8c8ec94083266cc58ebb7c63

SHA1
d6c25272996140df9642ac161eeaa23d5c66ad2b

SHA256
5cb7bad5bbee27f78bc926b524b3b65385405853078384a8b6c6ff4b69e09ed4

SHA512
8716ce5071d0df9f0d2f6d12302bdee710dcbf81ebcc4c635429d7db7a8f33d6d5d2cec6fe30292d471be685eaa13ef4c63ecdcfebd7bbdf6cc4bfaad3fdd805

Download Submit
C:\Users\Admin\Downloads\YMEa.exe

Filesize
569KB

MD5
e7c2df32b591cd08bd2e090a86c7fab8

SHA1
f6eaa6131b330b666fec2cb59faaf91a298578fb

SHA256
f39572558570e28e0bbe29c0a8328c29426dfa07550031fc66b1a011bcd10735

SHA512
520e599d5e9e17dfb2f0f924e515b6212cc773687363efe7ebf68643f3d6ea9f653e0d18d5f6ec420c9d626cf29285613b405b1d7f13b417d1a19ef42f45e8de

Download Submit
C:\Users\Admin\Downloads\YQAs.exe

Filesize
200KB

MD5
9cd5b471f7e812b8f6ba9696eaf622d3

SHA1
53a8a9b14ce706dc838cfb6beb59b944657b569c

SHA256
85c45f211bc75b64a5c0d1df1e2b79cd886e2de38577de08cb413c28314c4688

SHA512
114b576a55207c98934e674af219da558a003a488cf7fa70a227445ac749ad606493198dbd97b097d949112b583a7770d24b9581ed3f1961c975f22a4861eb1f

Download Submit
C:\Users\Admin\Downloads\ZMYi.exe

Filesize
209KB

MD5
749ca3957c52623bbd6b68d159de08ef

SHA1
648d1fc2b6de776b3b3f6b1f83e3fa6a9a047e00

SHA256
6280460639a305d2e966a589a6a1a6b3e5855d4cdef737272f8e004c9f1be18b

SHA512
0414fe0579ba50e0d1116fba91e919e1f161e62aeccd57258ab7831de60590fa0309d1d0943c14537a5abbb9a6511dad11071df0da5d3a0c3c47288d9ce24bf1

Download Submit
C:\Users\Admin\Downloads\ZUEc.exe

Filesize
241KB

MD5
c85d6000bb3d7d304fade413e9442610

SHA1
439412fa78ad5d755fbd2e01872d8de9c7397392

SHA256
7a7a0c776215a5441b69f2fc6f4746023d3526d1e7454bb84bf3b9edf9bb62c0

SHA512
51fdabca882cbd7b8536455c0fd8a72d541daa34e2040a188c329c437ada1aff9330c3af8f73492bd98de825180e9316ba849fee8bd7f677a58c9b5a82b13114

Download Submit
C:\Users\Admin\Downloads\ZwoQ.exe

Filesize
585KB

MD5
66c30ef369e56701e25dce73ce6993da

SHA1
405861ecae00907bab9a03668f09a55825229945

SHA256
8de3a2d25b1795b8d0f22be02a574d5bd71aaab44d0b9e8de3ebe42d6d799e33

SHA512
9d9a346f6ffbf8244d1e5ea541cf2bbea79c4098fb91db512950972329c170d244c5d651853a46c79b6cd0b61d391c95ff782c0f989ccb9f584151a96366abe6

Download Submit
C:\Users\Admin\Downloads\agUe.exe

Filesize
188KB

MD5
159d2ac1633da6d1c96899f042e87d23

SHA1
2f200fcf5ebb7596811d13c90fc3f26a1515d8ce

SHA256
c5dea80477f07750ebf4e260256bbd72c8f2b168d2225f58fd515c5cbdd238a1

SHA512
544260f3ce73278a0c04b2117633eb6d067e46b74647c419f905b27dfcf2acfb40d26a212125105b56c893f439ea7e823837b596da2cd85ad187f2c0d84214f0

Download Submit
C:\Users\Admin\Downloads\bAYe.exe

Filesize
914KB

MD5
970ff4c9381a8f03c0d4fb01a990d649

SHA1
8e17d1764901eb0e640130178405284791882518

SHA256
5d39f2e78107c3c1502bfd0febbc988cce1e10ec2006296b7fa4225bce3d2c85

SHA512
c7afb17cb897b5167d090c16402cd5c5a0b16ecfb084907faf56671c1da47fbc042a7ef8a0621a0e18b4cb7872d5e4167280d6881f4c45c93f0a4cf5b0a34367

Download Submit
C:\Users\Admin\Downloads\bAcO.exe

Filesize
188KB

MD5
3f9c9affd89db6fac81397e9c559b676

SHA1
16068bb11f67c5b27c3f86ea87a4578d36a45786

SHA256
03061045875f6afd1c26e79192abbe9c3ca9d845594f1d4620fc13dd24e8d555

SHA512
68390cfc4e6cea207a6be7cb1fa5ced902f39dfd74b8a8f58f0f23f29de34a9e85a5f21377d5ff9bcda5177cb414320e64228500c2ffdd1aebc90da03af25db1

Download Submit
C:\Users\Admin\Downloads\boAc.exe

Filesize
199KB

MD5
913475efebe71df76d213877d1bc6cba

SHA1
3f25098df0b97da22b46d36e355cb1fab51e2ff6

SHA256
3e785b09b6acfbd23007205b0e0244018e959b0f251b5006c4f333610b753278

SHA512
68ed033f5c09ec0486ff1ddb8e309ed0426a1b0bcfb800c18bf2dcbbdd9e2f6cb3aa0eb2b4802eafb9e7ec88315d269f927f7bb1992d5778a57c5adca7417ee3

Download Submit
C:\Users\Admin\Downloads\bwco.exe

Filesize
534KB

MD5
d4084c1086802361f6f0beb9a9988477

SHA1
ca868eb35ab95c6640e9acaf5b8aaea7574a67ac

SHA256
cd861c586622314773c452a88dc3013f4e21bbb1ff005576cff61ecc5585950a

SHA512
a8fcd2c884465828cdd0671d33ea8dc3eb5fdb63754f97b45f3b010e9c1660a0c56a4cb25b3154616b45c6aebda46a66e9d055e5fc92c23f0c14ce354acad7c9

Download Submit
C:\Users\Admin\Downloads\cwAw.exe

Filesize
206KB

MD5
d2feda378453a80433db65f842d755b9

SHA1
0b96e4667da114859c3f5614356f578db16a2c6a

SHA256
338f0254cc335a665adeaa9d21d1091150a07606b41064c2deeaaea9cc7d4c91

SHA512
c3d002ce17771ac73051e8314d7105a9d6bb853523aa59527971646ab6de98654054fab218ede75b56136e46510cef4f34c7d505c1d74445aad27d6d4bfcb6cd

Download Submit
C:\Users\Admin\Downloads\cwcq.exe

Filesize
312KB

MD5
316862ef5f8ef60e133561a9c352641d

SHA1
245d7e31801e8065d53f958600146057616519d3

SHA256
6a86191e0307fd65524d6d5f5d4d528250676d16b0e09bae479f9c5a9fea0404

SHA512
ac5a61180fb2ad9ad1ca1571b300f371294dddf7b0b9b7b92bc8d06491f3e9aa358af2f9129880420bfa9ff83d8c313c5df45a973d344019afb5284d77ffcfd2

Download Submit
C:\Users\Admin\Downloads\dIAU.exe

Filesize
469KB

MD5
becaeeccf40daa427326ce2042d6d364

SHA1
4f7633e9de672e55b4397d8d454c5e4415502ebe

SHA256
935bd94adf2252ef1c9823e223178d63b92178435d9ed5367691ac8bd2ab94ba

SHA512
3400aa341a3e1ced0ad976c335a3266322c3d6806cf164f629c8ab4a32d12548f25c266ea6a2f7817bb76bce259f54b2cac975db6bf4f92419ea2ab60ae9a613

Download Submit
C:\Users\Admin\Downloads\dgMm.exe

Filesize
627KB

MD5
c4247f182d8c5e3ebacd9ecfb84c3b0b

SHA1
bf3dce6556395993d9734bc3248aa903fb62b118

SHA256
c5217a813a39d0279b568f8314da09c2efa3cb3078bc329db2386cd6ea8c3383

SHA512
1701e5225d94bd71cb1c71848386c23d4f0b743651b38703dd89ab4078e8b0345926e239850d24d61b6301c7a9690ce39f665cffd3a984c8749c583941155703

Download Submit
C:\Users\Admin\Downloads\eUkm.exe

Filesize
190KB

MD5
842bae0b7b1c9cec0111a348ad475db9

SHA1
c0d040f06ecfc51028683c96cddb232c4ed07bf4

SHA256
1ae8a1cc98642777adacff50735b4fd053a3809cf184300309510429b50f289b

SHA512
9980724122caf544bcf01fc7f61a990e500559776311a5b780658e59710aabef4734239f75b8608d284200ba153f6edf83171602e7e31e1c89d9b1a42bb6f36c

Download Submit
C:\Users\Admin\Downloads\ewYo.exe

Filesize
203KB

MD5
2fffa968f888c1935fd652352953ae9d

SHA1
90a6c32c84be2b6bf71b89cb1b400272a3f7d1a9

SHA256
84715ab0d490b7c57928fd5b7016a3d69ada0ca74b929921cea262a0344dc1a1

SHA512
3bd9fb46c11421e6b4ff9359cdf0c64c6babd5f57c908d65ccfb33b2aaeb0648d87e3b74fea6753eb70e3e8aed8f3e0a3673879bcc9a70937666b6b5bc16497e

Download Submit
C:\Users\Admin\Downloads\fYAu.exe

Filesize
209KB

MD5
7ba3b1ab3f2da6be7f08abf5e838c4c4

SHA1
d1d3aad27a2e433a0f7231f5713c963218912f55

SHA256
99fc1fbd9e6a441951bf6e46479e0a7d1c8728ad33ed580a4fa7b183aa9c32a6

SHA512
5de986e7549f4bac2ca193cfcea8acb47ce68250adec8266b8d32924e924314b9b725b57c46c6945312e021477080522698ba46ad8b465f7527b8e407022a1cd

Download Submit
C:\Users\Admin\Downloads\fYcy.exe

Filesize
252KB

MD5
df0858d5a0dc889e94710c7330eacf24

SHA1
79b3f4afab864e82114a9f86f9258f2b8f4d064b

SHA256
7f8e77f71fb69885f805b981988386306999ac6c8dc83625e6ca922d6dd9d7bb

SHA512
c74750e73542ef1d614fb123ba71160b82d48a0ee7a574741bf881505c8fe6d4cc60ff8d9c5e4aee31450d04ffc7256bd0d85afabe10e7a88e2d149652c42818

Download Submit
C:\Users\Admin\Downloads\gYcC.exe

Filesize
645KB

MD5
756fc35a3a37c354da5fd67bc6d877be

SHA1
d37791b901835e2a582c8d907f0905ebb51dca7a

SHA256
fedd85b7f8bff8c2ae27406432697aa1361655d936b386b9172b85b59d1a252b

SHA512
08a2fdf4d5f573316ad4cdfa5d88f450fafe8b20a7f370f7ac4c1fa58ec58184ca51e91db8fbcf5cccd9347f1ea0664428ca14cb38673fa57d2e8cff9dcf949d

Download Submit
C:\Users\Admin\Downloads\kUMo.exe

Filesize
438KB

MD5
c702ad8578b1d8564330f61c20d8bfea

SHA1
7093a1accaed898e41a17a7e0daad5e560e86302

SHA256
1fd9d54a79d662bbbc8dad4d532974e13f16f1873ad2164c7d4b6c78d3bd59f6

SHA512
99aee1fc9a69104c2e4c49c0bfdf64390fb4bc4ebc6324edb3c140f9ad8447e3342ee71e5baf7d8c0cde7de177738404ba729c55b4eed34c8f84eda3855841b7

Download Submit
C:\Users\Admin\Downloads\lMQG.exe

Filesize
743KB

MD5
3c6df5ae86485b2d65cebcefcea44c40

SHA1
43f2a374d88da74466508c49e54206c4381fba83

SHA256
8fb033dd7ede2eb681810c8dcff5b05ede8679040620da8b7a61c10cb0fc1e5b

SHA512
caad19b7ded5aa230c49a55dcd5eaa12454565a185658d4f7e47a58ffb8d45115bb73d4c7d84dcbe8fabce35d64afd4dd8a690300e64894865b8ca39b0fdb0ed

Download Submit
C:\Users\Admin\Downloads\lkoy.exe

Filesize
214KB

MD5
b515ba15eb6d9d5d69bfe5ed96cd9846

SHA1
391181d565ea406c4e8862ba8ed97b7683de198e

SHA256
be32cdb5e7b6b850a1ea5730719da2566955b47f489ef3ef729d42171cdc3ee9

SHA512
7f0b046daaf0b3f6996d188f8858dc2e9e9db800569089844dc36654d9305f1b4937b0ebaca345be31390afb3da0e21e83e537109a4b9a60d612600be5c3544f

Download Submit
C:\Users\Admin\Downloads\lsMi.exe

Filesize
791KB

MD5
12df6c357bc979588dd88d9c2b8a9f98

SHA1
27f01c03b0616b19da6adfa65f32ef8e54ce347e

SHA256
0e5c56d11f738ee1335ff5630ff7f490a9bd42f154b326c44b014541d2e7fa8a

SHA512
7c3be8246c764be1c915c900acd3d158c2a3ebcbadab003fba782e5743ea85a3fdbff6157c0ce71c424e2a076ac1de1ddec1a9564b64ffe9f3bce478c41df682

Download Submit
C:\Users\Admin\Downloads\lwQU.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\lwgc.exe

Filesize
1.3MB

MD5
aa25e5881ee48c82ae037455217cb53f

SHA1
530f76c711c0695cf1af06bb3a40886ad88c0947

SHA256
64bea0c825091afb753e6a38a0a0343ad27ef798c83419040fafac1fb2c67fb5

SHA512
4a441121b83b9306eeaf917001abcc1cbe52fba4b22c6e61a470a109d74c90697d984673bc982d17fbf05d469b2ab989446cb76462c0ce03faf463291c3dfe2e

Download Submit
C:\Users\Admin\Downloads\mMoo.exe

Filesize
643KB

MD5
944eb5f1dea1204e6cffd6994342f7f6

SHA1
f40d05bc10adb697b523d96e2013e2dbed1237fc

SHA256
abb1a5c5ee110703b3e7ad46726df0be108924554802d8edc9d810b54edb0700

SHA512
334a54d72a420d993dac44c4e161aa67ef42eb7b1cde64dc35e37a0e4dd8bfa49f752982e7c2c971ed30feeca9975198ac75b55a189f96ae6103ec3af7445659

Download Submit
C:\Users\Admin\Downloads\mgIm.exe

Filesize
199KB

MD5
d735981ff10a84673b1c7a612ba4b00e

SHA1
d9d0a80eac1283db9b0c7c2dbace910b1c682541

SHA256
bbbebda780612e643ec82c77cf5f54ee8f70b4bab4ec0568d3f5fdef525c16d5

SHA512
c406af662d6df2e94ea96d4e61c2996aa0a58c4d197d8ff3c84f220e5b1805c2c32e08a512cae59ee758ac1326296b1f18e440043008190b21a2413eb9d235ee

Download Submit
C:\Users\Admin\Downloads\nEss.exe

Filesize
202KB

MD5
1fd793f10de9c7ad2bd3455046541eaa

SHA1
93b9f93cee1213c9b8de4cfac32bf104a9ef0106

SHA256
7b174c35a1b20c759bd331e5433ae785654645abc5ff7fe4f892fe4f8b3fe515

SHA512
7c99a41df8ad2fdcf5cbce41e278e6f8db8ee4908660103fc443324265a1cde39d4d68f738294405cb1ad92feff0377971eaacbd36051067b65853cbbd15c0a1

Download Submit
C:\Users\Admin\Downloads\nQUE.exe

Filesize
799KB

MD5
9145c4279b3309e456e1b5fa2150c29e

SHA1
a37952a15e4a3b66484bd41b08504727edbad56e

SHA256
6ab879ca65d42816e4c0fdeb936e9fa81d50edcb0f64b0446aab03c12e748d51

SHA512
8b3f2e6172561e55eb1a97eef7820378a95055df277e987a71c74910803e28feda1761575a4926ba57eee8eb6420a2459d4c5af609650775e8c316251bdc41ef

Download Submit
C:\Users\Admin\Downloads\osEu.exe

Filesize
204KB

MD5
faaa06e3232f73ddda0f95d44820a099

SHA1
d01e61a041a4f106bde9a8c95dbe7953327c40db

SHA256
5945f1da4972a9c11e6782b529db372a1ad6a32a7b1e6e60af39b3e22c718f28

SHA512
d2cb744716a4a7d2b1cc60bfa21525004639d6ce47079b8bfb7daf2fd0049313cd612c62206d3a47a3082f74235908dbdf5ff87c0a86cdd87d22e9a7562b2bcb

Download Submit
C:\Users\Admin\Downloads\pkAY.exe

Filesize
208KB

MD5
19f81dac4d89828448e56a69b2b56ebf

SHA1
d8046430ecc1f66d22d0b8731b9e0671ed769416

SHA256
33ecd25c07f223eea0a95b8b2471dcddd341375988db657b982520009ac56ce2

SHA512
e73d36238e372027d9b39cc9fca665a18a0396aeafe4383cd1a3b9551e7f2d31127b81083358405184fc57eb71133c26bbcee8bc499548bb22b730f48b1b9d48

Download Submit
C:\Users\Admin\Downloads\qMQy.exe

Filesize
1.0MB

MD5
33de4b35997d71ca99f65aaba5b53522

SHA1
008ee7316bbebdb9b2cbb612e9684c5fbc1becc1

SHA256
14d67ef9df460e84e226f6a937d83d046242b8535f3d5fe30e97c76309ef0ff5

SHA512
2b577cde834db4dc0d6695bfb61e044c98eaef7e6a6867b6a2aeaae720d5a2b16aeebbec287079551d0ab91e54773a6c81d89df2bb4431d6dae360441c2c27fc

Download Submit
C:\Users\Admin\Downloads\ssci.exe

Filesize
934KB

MD5
18615de340852cd265919f19290fb541

SHA1
cbf836a416dbc1f43a1b57e9e77aa5f223b9f9ae

SHA256
195831fe80825db4afbd224fd2a3266e2c12baa9f5d6d1be2fc7501aeb50dd0d

SHA512
a009f68300d9bbc0e9c2f047cde2723afc93e1312f298f3f9b399ee4387c566fecc2f026c50ab1ab29829769d130437a3fd084f0a197f77f2f136dd6f14aeb89

Download Submit
C:\Users\Admin\Downloads\tQkO.exe

Filesize
199KB

MD5
988cad88e330372a076fc153daaf1f59

SHA1
e0dd2c9fabb472fbbb0078db3c0bc0971664c154

SHA256
55cae6390c2219f5e4b5550a6db49f84d3666f7948bcba9022b17d8b977abea3

SHA512
ac991097db959d2ae12b95746339673f326821bc5b102fcaaf450e03d12903b0ed03ff57be7d6f4909cb80638949d40c7b2aa7a72d4de60467a9df2f5b90d85b

Download Submit
C:\Users\Admin\Downloads\tcMU.exe

Filesize
568KB

MD5
14f01a71616559150053f39810ec12cf

SHA1
f669750ea2eb5b740d45bfdbf0e8b9fbbf2ab882

SHA256
eaa7c5283910b80d135b7733fb67f000a371db904d608e0ebdc5b81354c17824

SHA512
309054a38d32e1fa68db9f9ddbf638826f9b68f1705cb97baad2829128abdcfba254e834356800403af687a7eaf0e3e117f41d52e3365613529cf0eebfc4f931

Download Submit
C:\Users\Admin\Downloads\tsYK.exe

Filesize
807KB

MD5
34f815c574e899ff12623f5f2c87e537

SHA1
45a3d20d1e47945329855d341326fe66059350a0

SHA256
0e70da627bfe2614e6a17307e4b5ac5895fb889a0034d9069490152aef04c9f9

SHA512
baa5b4ca46596ef2245d642cf9fef21a7f07d8bfd88196f39a5f77f7703d0c75297b70b0308e2d924cc243c8591ae915ca4352721a7b827918156b310b42504d

Download Submit
C:\Users\Admin\Downloads\uMYO.exe

Filesize
227KB

MD5
accfc537821e38d1ba4a0bd7aa8351e0

SHA1
62bf4e5a1eed9f4c6877a9532a58f4fde9d9e83b

SHA256
1a73b083b5fa8a276c9351fa471cbb24a7dbc671d72f0cc566684fc372831432

SHA512
3346ce46ba4dea69906ff43a2612f148a1888db66b4e0cdc1542b8e512fd7027e8d7d0c7501e73fefa5ff7614886218e8f2485d73b154897fa57b04c911813ef

Download Submit
C:\Users\Admin\Downloads\vgkK.exe

Filesize
618KB

MD5
741b81680eca11850422a77c3cd42ff1

SHA1
3c486af5b6b1674a09582e0f376444d055761000

SHA256
a7e2cf8193ddd29024b46390f5b90fd2d95e0c41fd14c9030440d9167f1ab8fa

SHA512
79684d1848c0bc9c65451886e8e230954ced58243b36f8b5e2d42e41ec8ef4decf1d2013029e8fafea4b0e1517dfa1bfe8baa4cbac8ebb2c1b275c07c8fb6661

Download Submit
C:\Users\Admin\Downloads\wQEo.exe

Filesize
308KB

MD5
0a6c3e2004264e7c0da2aa50027e212d

SHA1
78b82278dea03904efe5456946fc280a80ac9d7d

SHA256
76d1d791b9c82742c8e55ecf9b58573b262389a105a5e3dfb759d62e6c3d8ba0

SHA512
e8e2fe6c3f4b1a2c984c00f1050b42d08314a341fb6f7b390982e4902b6f63d11c6e0ac7eda56d5da2b42ac05d60e5b25804777514b514e7f6652d2f058fe9f7

Download Submit
C:\Users\Admin\Downloads\wkwC.exe

Filesize
648KB

MD5
13bd06f5ca5b24d452fe2c6b17fcbafc

SHA1
1f1ee2f3020c4695c9818dd833c9d84ebfd394dc

SHA256
98ea0da5fdd3d3697286638b557956664deef0e98c220edcd1c6555158d8e41c

SHA512
bf952a79b0b9c42b123548782f24d682398b33646ad5e829ab81f2e4dc2b44f7e9ea9a23fda24ee8986fae611de01e65ee3f15b2e8877ad9325d288972bd02d3

Download Submit
C:\Users\Admin\Downloads\xAIe.exe

Filesize
198KB

MD5
540af488641541278f4266fb48d27cfd

SHA1
42a20b5eefd636af30abef42ea760f9dbade3438

SHA256
437c569297d83ee00fc7c04ada225b8cf67f2a7afd1a3e751f1aa8ba1a1f17be

SHA512
1acb18cc0a5b8a7180bb93f3732a89a28d5232426487cf97b33f5bbaef1765922ee5fa4323d1f573a65e000c692ed60c257c9f379aecad7134224048e523ac59

Download Submit
C:\Users\Admin\Downloads\yIwC.exe

Filesize
184KB

MD5
02692698a3dad9da56db9d49e136e84e

SHA1
5401600ea06ea045f90999c125c6e9ec0051391e

SHA256
f61a238414a6b2abe8561089cb85cd72fbb71383bab6beff5e5486c86ee64545

SHA512
d7507777703c48377f444353b22d29a5b28d11fcf2915fe2616ed7cb8240b52ce03d5229b6e6988c35c40c81605b7bb6c7b9dece5a3acc7a541b932861c02b5b

Download Submit
C:\Users\Admin\Downloads\ygkM.ico

Filesize
4KB

MD5
34460862c89281546603585eba87f992

SHA1
c00e6558b839be12b54316e87116042454cccbd2

SHA256
bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620

SHA512
b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67

Download Submit
C:\Users\Admin\Downloads\zoIo.exe

Filesize
200KB

MD5
86de67bb90ed9700672e9135b83007a1

SHA1
73cfcf197ee039ec4dd517bdcc614f646e266513

SHA256
40eda74a4594e20ff1f8627e897540b654202c12e80f80a1e6a51d8de8455530

SHA512
6e19a73a64507db06099d2346c81a7f178785faa6f362c242faa18d9857ec5b4472a74c542de73f42ff47515e62204ce5cfe1fb613540a2ad807d09c8b48c19f

Download Submit
C:\Users\Admin\Music\CheckpointGet.png.exe

Filesize
1.6MB

MD5
827d3be19165b383f108ce323d12394d

SHA1
cac93f41c2205402ae0561b912f12cae1acebcb0

SHA256
d30bda21db6a7138a72608d5d44ce74397fcdbcdec6a1fc23300c21fe9073e86

SHA512
5bac65d23d6d3275a01dacd9c64a2f77e1a82dc00cff4c2b9ae9e1df5f382102378619be1022510fd670073163e9afe3fa56064f60d1b166e25a1eabe486909a

Download Submit
C:\Users\Admin\oekYcMIg\mcYwYQYs.exe

Filesize
202KB

MD5
91a6ddb08bdcd642f0636111adfff300

SHA1
963ecc1e7a3731beb193bf4580aabd0ea7e035f4

SHA256
8903a9be5d807e1fa6d46b4f86ee4cfd847a5aa5093961791f79ebbb2580f54c

SHA512
cf37543086919133b1735f79e8c1673a92c1f50195322cd97f324029baee97573e13ec9e359d6f92158ed9f4898e54e7296e8df89df14c830785f33bcaa4a5db

Download Submit
C:\Windows\D52D.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
f6f7dfe324da976481c8730ffd5509c0

SHA1
240f9e6e3caecd8ba5b95a1e426f9d61655a56f1

SHA256
7d03ed6535d8c34bf9672eeccb16cd0eca0d50941b7e2e410b0a7be58545d686

SHA512
4b1b7a9daa0ee984c124f6059beefac7bb2d24599e435b00f1df6a10d752eef7d5575a69775924a3ed8fda20566f4e1cb07b02eda68b81662fdd128c807929ed

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c29d6253d89ee9c0c872dd377a7a8454

SHA1
46be3800684f6b208e0a8c7b120ef8614c22c4b0

SHA256
03f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb

SHA512
50141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
449546d6d9a953b1364147ed0755c3b3

SHA1
8306721ab3735df6a5e743b289011b04fdb763bc

SHA256
50bbb61b89a635adcbef23b498cc5c83bc94d161f816131433eeff9143d830b5

SHA512
ed986c6d12deca8d3357d16c976bb1535455c668520f9229f08096c9108a26aa5cc45cfba967e326b3cb1ceb25c97174161800311bdb1a652baf4f0a7c2114c0

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
4e46d3825c01ec53e22d2fe7c4a7a582

SHA1
6cce78e16ccc0178d3b9b3fce26b249103bd1e1e

SHA256
f662641eab0abd8750a6c629357bc8b67597f6858273cc2e114d03da44a29493

SHA512
8287d2feeb1be2df830c0973180d8752ea7d159a4ec42d900198e0a1c41c9fd1b2676a6e682cd8781d90d23bbd49e3c410ccff174133daa535301a0bed4a9d97

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
2b2479fe80dde99dd497a1ca41d5aa23

SHA1
19116ce6ff6d859a91d5a9c7828b6b793c431479

SHA256
a96e54ac864ab635e4b05b29404555c56ec5bcd50183384de3a724c4c80334dd

SHA512
d6ad7e7216073181d36002c704a1ffbe9823ebf8fac85a21f8d98fe21d6d28f0de338fbf7d7e7f857056c04a14729b8406db77a47b3dbd26bc873dd2ff9f4b37

Download Submit
memory/200-1728-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/476-1744-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/560-2219-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/700-1736-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-1839-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/836-2097-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/836-2285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-2139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-1752-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-1873-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-2087-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-2034-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-2076-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1192-2060-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1192-1660-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1424-1634-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1492-1795-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-1915-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-1931-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-2322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1860-2121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1900-2277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1908-2129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1936-1907-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-2026-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1960-1966-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1960-1954-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-2018-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2116-1320-0x0000000000D60000-0x0000000000DC8000-memory.dmp

Filesize
416KB

Download
memory/2116-1328-0x0000000000D60000-0x0000000000DC8000-memory.dmp

Filesize
416KB

Download
memory/2176-2355-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2236-1949-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2276-1285-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/2276-1293-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/2404-2251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-1881-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-1710-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-2269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2916-2000-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3004-1626-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-2147-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-2192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3068-2471-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3068-2010-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3096-1684-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3108-1829-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3108-2044-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3244-1863-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3244-1851-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3304-2052-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3356-1889-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-1787-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-2070-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-2294-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-2531-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-1702-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3920-2200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3940-2419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3992-2507-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4188-1618-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4188-1650-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-2261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4376-2227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4396-1779-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-2155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4900-1668-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5152-1813-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5216-2160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5216-2178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5244-2312-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5248-2318-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5248-2330-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5256-2079-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5272-1941-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5356-1676-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5360-1958-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5364-1352-0x0000000002B30000-0x0000000002B98000-memory.dmp

Filesize
416KB

Download
memory/5364-1360-0x0000000002B30000-0x0000000002B98000-memory.dmp

Filesize
416KB

Download
memory/5376-2235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5444-1976-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5492-1855-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5492-1821-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5512-2105-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5564-1805-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5564-1898-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5564-2113-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5628-1984-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5676-1239-0x0000000002C70000-0x0000000002CD8000-memory.dmp

Filesize
416KB

Download
memory/5676-1232-0x0000000002C70000-0x0000000002CD8000-memory.dmp

Filesize
416KB

Download
memory/5676-1242-0x0000000002C70000-0x0000000002CD8000-memory.dmp

Filesize
416KB

Download
memory/5692-1604-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5692-1584-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5696-1642-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5700-2300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5700-1597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5708-1598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5708-2317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-2164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5744-2304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5748-1718-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5776-2243-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5804-1992-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5940-1694-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5972-1771-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6008-1923-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download