infinitylock | ddd61c9f887cf5e0e83f70af0eb70ac5bf7a64249d2039b77169a4f66eedd1f1

Analysis

max time kernel
257s
max time network
274s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-09-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P3S_FW_V01.11.0030.bin
Size

59.8MB
MD5

9245148c449cc2e848a6867a6a3fa80c
SHA1

29045cb9ecd4ef59380d14018cb61c586d0dedf0
SHA256

ddd61c9f887cf5e0e83f70af0eb70ac5bf7a64249d2039b77169a4f66eedd1f1
SHA512

f9702810e9db9b34ca7e053551ad6eb592331d707a0b645e17096e8319187f6ef062fc763f8c20e96d9005270a1a5a56212706bfdc0b996771a99c030c5b38cb
SSDEEP

786432:JLukTyODtzvxu9osMr66oBxl+2oRBglhRwz:g4pRzYoMCtn

Score

10^/10

infinitylock troldesh defense_evasion discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Modifies visibility of file extensions in Explorer 2 TTPs 49 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 49 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

DeriaLock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe

Executes dropped EXE 61 IoCs

Processes:

Aurora Worm v1-Cracked by RoN1N.exeAgentTesla.exeDeriaLock.exeGandCrab.exeGandCrab.exeInfinityCrypt.exeInfinityCrypt.exeNoMoreRansom.exePolyRansom.exeyUIkUkEg.exeOyckYYco.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exe

pid	process
5056	Aurora Worm v1-Cracked by RoN1N.exe
4284	AgentTesla.exe
1972	DeriaLock.exe
1480	GandCrab.exe
2004
4372	GandCrab.exe
2632	InfinityCrypt.exe
3712	InfinityCrypt.exe
4112	NoMoreRansom.exe
892	PolyRansom.exe
1048	yUIkUkEg.exe
3372	OyckYYco.exe
4872	PolyRansom.exe
2492	PolyRansom.exe
2920	PolyRansom.exe
4872	PolyRansom.exe
2492	PolyRansom.exe
4516	PolyRansom.exe
4692	PolyRansom.exe
2668	PolyRansom.exe
4892	PolyRansom.exe
4884	PolyRansom.exe
2668	PolyRansom.exe
4036	PolyRansom.exe
3004	PolyRansom.exe
880	PolyRansom.exe
380	PolyRansom.exe
3540	PolyRansom.exe
3912	PolyRansom.exe
380	PolyRansom.exe
1032	PolyRansom.exe
3380	PolyRansom.exe
2600	PolyRansom.exe
1032	PolyRansom.exe
5076	PolyRansom.exe
1904	PolyRansom.exe
508	PolyRansom.exe
1560	PolyRansom.exe
3428	PolyRansom.exe
632	PolyRansom.exe
2668	PolyRansom.exe
4876	PolyRansom.exe
4724	PolyRansom.exe
1076	PolyRansom.exe
1408	PolyRansom.exe
1252	PolyRansom.exe
380	PolyRansom.exe
4056	PolyRansom.exe
1560	PolyRansom.exe
4064	PolyRansom.exe
3428	PolyRansom.exe
632	PolyRansom.exe
2880	PolyRansom.exe
3428	PolyRansom.exe
396	PolyRansom.exe
3592	PolyRansom.exe
632	PolyRansom.exe
2920	PolyRansom.exe
3592	PolyRansom.exe
348	PolyRansom.exe
2148	PolyRansom.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yUIkUkEg.exeOyckYYco.exeNoMoreRansom.exePolyRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\yUIkUkEg.exe = "C:\\Users\\Admin\\pKIIUMoI\\yUIkUkEg.exe"	yUIkUkEg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OyckYYco.exe = "C:\\ProgramData\\VQAQcoYY\\OyckYYco.exe"	OyckYYco.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\yUIkUkEg.exe = "C:\\Users\\Admin\\pKIIUMoI\\yUIkUkEg.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OyckYYco.exe = "C:\\ProgramData\\VQAQcoYY\\OyckYYco.exe"	PolyRansom.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GandCrab.exe

description	ioc	process
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

151 raw.githubusercontent.com
152 raw.githubusercontent.com
153 raw.githubusercontent.com
150 raw.githubusercontent.com

flow	ioc
151	raw.githubusercontent.com
152	raw.githubusercontent.com
153	raw.githubusercontent.com
150	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

GandCrab.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_bb379132d2c203f7\Amd64\PrintConfig.dll	GandCrab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Aurora Worm v1-Cracked by RoN1N.exe

pid process

5056 Aurora Worm v1-Cracked by RoN1N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4112-4362-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4112-4364-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4112-4363-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4112-4366-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4112-4583-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4112-5125-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4112-5446-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

InfinityCrypt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsiProvider.resources.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sr.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_zh-TW.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Toast.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE	InfinityCrypt.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 7 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\GandCrab.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DeriaLock.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeNoMoreRansom.execmd.exereg.exereg.exereg.exePolyRansom.exereg.exePolyRansom.exereg.exePolyRansom.execmd.execscript.exereg.exereg.exereg.execmd.exereg.execmd.execscript.execscript.exereg.execmd.exePolyRansom.exereg.execmd.exereg.exereg.execmd.exereg.execmd.execscript.exereg.execmd.exereg.exereg.exereg.execmd.execmd.execmd.exereg.exereg.exereg.execscript.exePolyRansom.exereg.execmd.execscript.exereg.exePolyRansom.exeAurora Worm v1-Cracked by RoN1N.exereg.exereg.exereg.execmd.execmd.exePolyRansom.exePolyRansom.exereg.exereg.exereg.exereg.execscript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aurora Worm v1-Cracked by RoN1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InfinityCrypt.exefirefox.exeGandCrab.exeInfinityCrypt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe

Modifies registry class 35 IoCs

Processes:

GandCrab.exefirefox.exeOpenWith.execmd.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	GandCrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	GandCrab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	GandCrab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	GandCrab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	GandCrab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	GandCrab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	GandCrab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	GandCrab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	GandCrab.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	GandCrab.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3396	reg.exe
3336	reg.exe
4712	reg.exe
2688	reg.exe
2628	reg.exe
3584	reg.exe
2640	reg.exe
2344	reg.exe
768	reg.exe
4044	reg.exe
3860	reg.exe
3760	reg.exe
508	reg.exe
3588	reg.exe
4688	reg.exe
2732	reg.exe
4724	reg.exe
4692	reg.exe
3600	reg.exe
1348	reg.exe
3160	reg.exe
2916	reg.exe
1972	reg.exe
344	reg.exe
2840	reg.exe
2664	reg.exe
3852	reg.exe
3396	reg.exe
3552	reg.exe
2720	reg.exe
4064	reg.exe
3444	reg.exe
1076	reg.exe
4996	reg.exe
3368	reg.exe
4340	reg.exe
2084	reg.exe
220	reg.exe
4668	reg.exe
1348	reg.exe
2964	reg.exe
716	reg.exe
304	reg.exe
2528	reg.exe
3528	reg.exe
2944	reg.exe
4668	reg.exe
508	reg.exe
2108	reg.exe
376	reg.exe
4044	reg.exe
3444	reg.exe
1972	reg.exe
392	reg.exe
4056	reg.exe
1400	reg.exe
1068	reg.exe
2432	reg.exe
3604	reg.exe
3424	reg.exe
1560	reg.exe
3904	reg.exe
3852	reg.exe
4872	reg.exe

NTFS ADS 10 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\DComExploit.exe.vir:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\607B60AD512C50B7D71DCCC057E85F1C:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DeriaLock.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\GandCrab.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DeriaLock.exe

pid	process
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe
1972	DeriaLock.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

firefox.exeDeriaLock.exeInfinityCrypt.exeInfinityCrypt.exe

description	pid	process
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1412	firefox.exe
Token: SeDebugPrivilege	1972	DeriaLock.exe
Token: SeDebugPrivilege	3712	InfinityCrypt.exe
Token: SeDebugPrivilege	2632	InfinityCrypt.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

firefox.exe

pid	process
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1412 firefox.exe
1412 firefox.exe
1412 firefox.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

OpenWith.exefirefox.exeOpenWith.exeAurora Worm v1-Cracked by RoN1N.exeAgentTesla.exeGandCrab.exe

pid	process
4700	OpenWith.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
4700	OpenWith.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
5056	Aurora Worm v1-Cracked by RoN1N.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
4284	AgentTesla.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1480	GandCrab.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe
1412	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 2192 wrote to memory of 1412	2192	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4204	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4204	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 4660	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 3968	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 3968	1412	firefox.exe	firefox.exe
PID 1412 wrote to memory of 3968	1412	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\P3S_FW_V01.11.0030.bin
1⤵
- Modifies registry class
PID:216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.0.1190998183\621462625" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26da4ea0-a67c-4349-9bce-b9d812412e14} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 1780 1e71f207e58 gpu
    3⤵
    PID:4204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.1.1984452620\1274164391" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c499030f-9ac1-4be6-a4b4-ffc77646b839} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 2136 1e71ddf9558 socket
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.2.1363813394\766995470" -childID 1 -isForBrowser -prefsHandle 2688 -prefMapHandle 2728 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0fa490a-f876-48b8-b23f-6538e323f567} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 2968 1e71de62158 tab
    3⤵
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.3.1759346319\1808851970" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0220652b-b497-4cb5-acca-14757184f24b} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 3452 1e70bb5b258 tab
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.4.439083137\1465681505" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32223b35-489e-4711-8558-5fa902fadd92} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 4256 1e72420df58 tab
    3⤵
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.5.758530912\132286610" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4a58605-0118-49d4-9729-80d36239ee8a} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 4948 1e7227e0558 tab
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.6.1446720198\1872637074" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11d92cd1-cc4d-434c-8332-9e9c97f0dd23} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5060 1e72551e658 tab
    3⤵
    PID:2180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.7.1954598689\327703981" -childID 6 -isForBrowser -prefsHandle 5040 -prefMapHandle 5048 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86508c7b-5f91-40b9-94cb-68ba0372e867} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5152 1e7257a7a58 tab
    3⤵
    PID:3236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.8.870803175\63675852" -childID 7 -isForBrowser -prefsHandle 5752 -prefMapHandle 5748 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8253e44-25b8-462b-b8c1-c95a09376361} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5036 1e726112258 tab
    3⤵
    PID:3552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.9.272306279\1287325273" -childID 8 -isForBrowser -prefsHandle 5424 -prefMapHandle 5364 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a124e3ed-1067-4ea3-bc3d-86fb8775347b} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5152 1e7268f7858 tab
    3⤵
    PID:3356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1412.10.985713650\31739827" -childID 9 -isForBrowser -prefsHandle 5232 -prefMapHandle 5244 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f645ba7-663c-413f-b70a-f94cd0729a41} 1412 "\\.\pipe\gecko-crash-server-pipe.1412" 5216 1e727cc1258 tab
    3⤵
    PID:2440
- - C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe
    "C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5056
- - C:\Users\Admin\Downloads\AgentTesla.exe
    "C:\Users\Admin\Downloads\AgentTesla.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4284
- - C:\Users\Admin\Downloads\DeriaLock.exe
    "C:\Users\Admin\Downloads\DeriaLock.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Users\Admin\Downloads\GandCrab.exe
    "C:\Users\Admin\Downloads\GandCrab.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in System32 directory
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1480
- - C:\Users\Admin\Downloads\InfinityCrypt.exe
    "C:\Users\Admin\Downloads\InfinityCrypt.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Users\Admin\Downloads\InfinityCrypt.exe
    "C:\Users\Admin\Downloads\InfinityCrypt.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Users\Admin\Downloads\NoMoreRansom.exe
    "C:\Users\Admin\Downloads\NoMoreRansom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4112
- - C:\Users\Admin\Downloads\PolyRansom.exe
    "C:\Users\Admin\Downloads\PolyRansom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:892
  - - C:\Users\Admin\pKIIUMoI\yUIkUkEg.exe
      "C:\Users\Admin\pKIIUMoI\yUIkUkEg.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1048
  - - C:\ProgramData\VQAQcoYY\OyckYYco.exe
      "C:\ProgramData\VQAQcoYY\OyckYYco.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
      4⤵
      PID:2628
    - - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        5⤵
        Executes dropped EXE
        
        PID:4872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        6⤵
        
        PID:4016
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        7⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        8⤵
        
        PID:4616
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        10⤵
        
        PID:236
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        11⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        12⤵
        
        PID:1432
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        13⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        14⤵
        
        PID:1068
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        16⤵
        
        PID:3608
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        17⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        18⤵
        
        PID:3216
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        19⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        20⤵
        
        PID:2640
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        21⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        22⤵
        
        PID:5056
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        23⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        24⤵
        
        PID:420
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        25⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        26⤵
        
        PID:3660
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        27⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        28⤵
        
        PID:4996
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        29⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        30⤵
        
        PID:2756
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        31⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        33⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        34⤵
        
        PID:4044
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        35⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        36⤵
        
        PID:632
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        37⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        38⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4884
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        39⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        41⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        42⤵
        
        PID:1788
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        45⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        46⤵
        
        PID:3860
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        47⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        48⤵
        
        PID:3480
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        49⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        50⤵
        
        PID:3344
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        51⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        52⤵
        
        PID:2940
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        53⤵
        Executes dropped EXE
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        55⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        56⤵
        
        PID:3776
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        57⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        58⤵
        
        PID:3336
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        59⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        60⤵
        
        PID:4056
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        62⤵
        
        PID:2448
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        63⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        64⤵
        
        PID:1460
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        65⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        66⤵
        
        PID:5056
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        67⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        68⤵
        
        PID:1168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4692
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        69⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        70⤵
        
        PID:3544
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        71⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        72⤵
        
        PID:2316
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        73⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        74⤵
        
        PID:1164
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        75⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        76⤵
        
        PID:2380
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        77⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        78⤵
        
        PID:2628
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        79⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        80⤵
        
        PID:4996
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        81⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        83⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        84⤵
        
        PID:2308
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        85⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        86⤵
        
        PID:2436
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        87⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        89⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        90⤵
        
        PID:3064
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        91⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        92⤵
        
        PID:3368
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        93⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        94⤵
        
        PID:3504
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        95⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        96⤵
        
        PID:932
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        97⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        98⤵
        
        PID:1168
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        99⤵
        Executes dropped EXE
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        100⤵
        
        PID:2996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2632
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        101⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        102⤵
        
        PID:3484
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        103⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        104⤵
        
        PID:2964
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        105⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        106⤵
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1816
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        107⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        108⤵
        
        PID:716
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        109⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        110⤵
        
        PID:2996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4892
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        111⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        112⤵
        
        PID:2940
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        113⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        114⤵
        
        PID:4152
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        115⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        116⤵
        
        PID:1904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2668
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        117⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        118⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3660
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        119⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        120⤵
        
        PID:3832
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        121⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        122⤵
        
        PID:836
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        123⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        124⤵
        
        PID:1284
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        125⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        126⤵
        
        PID:1124
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        127⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        128⤵
        
        PID:1108
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        129⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        130⤵
        
        PID:4620
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        131⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        132⤵
        
        PID:2412
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        133⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        134⤵
        
        PID:3600
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        135⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        136⤵
        
        PID:4168
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        137⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        138⤵
        
        PID:4884
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        139⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        140⤵
        
        PID:348
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        141⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        142⤵
        
        PID:2924
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        143⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        144⤵
        
        PID:668
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        145⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        146⤵
        
        PID:3424
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        147⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        148⤵
        
        PID:2916
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        149⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        150⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKkUoYEc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        150⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        Modifies registry key
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkMkkoEM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        148⤵
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UogAcwIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        146⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQoQEAAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        144⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYscssws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        142⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsgcYMQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        140⤵
        
        PID:1720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYoMIIYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        138⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiUoEgIw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        136⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwsUIUIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        134⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySkUYUMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        132⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsYwAYoU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        130⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMAYEQcY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        128⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUYsEYIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        126⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwowgEwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        124⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSswMkAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        122⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwEIosgQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        120⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies registry key
        
        PID:716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQcEYsAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        118⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEMEwIEA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        116⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGowsMsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        114⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAAssowc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        112⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwMMwoIw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        110⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKgEoEkU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        108⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqEcMogs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        106⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcYcMIYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        104⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOggQEQE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        102⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESsAQUgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        100⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWAssoUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        98⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VocQUsYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        96⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NogwoUwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        94⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOIMwAAs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        92⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSIAwMgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        90⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKIIkIow.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        88⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCswEsIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        86⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGEIIYos.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        84⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOocIUkI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        82⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEIswok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        80⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiEUYkoY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMsQIwwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        76⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWswcMMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        74⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkIMUQEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        72⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOMoEwMI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        70⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMcwcIQI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        68⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqgYMwwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        66⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQEIksUM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        64⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOIccEEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        62⤵
        
        PID:2492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYkQQsgQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        60⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCUgAMkM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwAEIowM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        56⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGEAsEEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        54⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcEIcUwU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        52⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOUQAwUs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        50⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUcoscsg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqMkEIAM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        46⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOocokUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        44⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAkYEsso.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        42⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaoYcYsc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        40⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUYMscs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        38⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmwsgYUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        36⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gogkoYYY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        34⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySwgEkoA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQkIwYUo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        30⤵
        
        PID:420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isAYkcsc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwMMUwsU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RegIwMUM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        24⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcgIUQwE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        22⤵
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgIMooYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQIkgEYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAsIAck.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        16⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmsgkIAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        14⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwMcIwQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        12⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAQcYwEw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        10⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaAMAwkw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3520
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4724
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4668
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuMcggoQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKwwksAo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
      4⤵
      PID:3392
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:348

C:\Users\Admin\Downloads\GandCrab.exe
"C:\Users\Admin\Downloads\GandCrab.exe"
1⤵
- Executes dropped EXE
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
16B

MD5
a4d350318c66f743e9a98e63800db7d1

SHA1
480635550c205bcfc746dcd198b3fc88fe5ef55c

SHA256
04093e68daff722bc388053393a84f8314bfe80b762f993d5f603ae49ed15d05

SHA512
decbef1a15fa6ae74151b8356241bf8fec691428f21e6f8a8d9a37f06a7a27cb325baaf3584e7439bac42bd82ebc5d724ccbd723e140e8301ad21ba5aeec2c98

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
720B

MD5
4b6423ace280b395c5cbe9a60eba110e

SHA1
ec6f9a85aec96e63d0ddd375437bc77bbdec0423

SHA256
dc18e8f356b534f2cda21497764051bb114ce9134219333b213e336c8e76aa36

SHA512
8262936969b86a822e19d1d8f4c2551ebd6699be76e9d4dc124f083b86e16b1171714fe9f2d74d1a7c7d318771782bfb0b1f30dd61e25b30d65db3a4363c901b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
688B

MD5
dc786ff608748c8050e7be8a04c2cf93

SHA1
4af13c2adb931c8b5cde77f2965a4d26e4f81e89

SHA256
662b1e776d02a761873ba2509f1be1a4215fa564dc3b1ca9aa4c608e25c912dc

SHA512
501c46cf609a1c150605ff4728d2d9c76cdb40b3266149907e08e1f4c6be5266080a0b05fd48d3662cbc97494baa3e124aa4a7eb762c875be69d83814e67ea13

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
1KB

MD5
a84fb4304c7efebb11fccfb242a84d43

SHA1
af9609e0d46de761740abc7815f96cf22b1c80f9

SHA256
fd343db93861c1bb7a672f8a22c39f2f02e9e10df6065dde34cb8016e1273047

SHA512
a8aee84c8fc565bd9068912a60edba0b4bcadd23c8a452ce9d63aae56697068b90c2acf19817b5c9f9207d29a38bc25dd770c7f7f2d4ebb9d6b207184a85ac69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
448B

MD5
e544d1f238a3520e81fc06930e95bf85

SHA1
1b6ec5361d186a85cc46d1985162963446b0a701

SHA256
8f9ba21943d48bbf1d7269a4d22dcbc0713e1a05e8e63f5a1d98ccb292042d01

SHA512
030cb63319796dbf51fe1f48ca1ba98ae9a7d4224c3012e509ccec08b13e6a6ceb1c5d6acdbcf74bdad7c42704982c3e6748af23dd3d93d46dd49d960b1d3097

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
624B

MD5
3b273a8f3069444aa935d8afabb47c0d

SHA1
1f7dea47698f50e3f9414314c2a59d359007ce34

SHA256
3b47c6cf739f6853448fddc733b25756147b5147b0b13e361c6ea6a280c14a7d

SHA512
ab1cb8a0e50ba315b5e85b5f579a5403af6fa273a680a2301fb73f359bdd2702734eac2ad3c071e92e72cd33b29d86b71d849f458d9837c18c2564af70e391f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
400B

MD5
904d2982ed5624db86abac9c162fca9a

SHA1
a5caf3bb919d3a91df585ed011a3823c7ffc9a50

SHA256
42d149f2ed0cbce7b04c77f0ea39f73c46e90ffb8e544e88ce4564fc6b5aaa7c

SHA512
4996c139f5cb504089580ec87f22dd9b6897ca4dc66a6c48f866cd1d605e501f5daaefd853aa97579643bff3a964503c646b16c1c8c05419c34c9e445de7595d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
560B

MD5
ecd90e2f362f974faf87774a5a19da71

SHA1
4fa404b77d324580b858b6b5855e1d3dca976646

SHA256
9044f454d67265064a835da31b5df2c45b36f902a0587901722db03323b64c5c

SHA512
dfccc0d71c72ba5bc171df3774227329b71155a24d1f29baf2ac02f5b302d075d21124b13c89a1b8bad8e1cee8b93c150050510bfd2afe189c0346defc19e80b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
400B

MD5
383367daaad2bb21ed9be5234c55f631

SHA1
8a01ed4d4969c706bd03183b58691ca8d3e81047

SHA256
cf16a92630a469377253bd6b3fe940ce21ddb18eb4dd1f4d260a55727552d7a3

SHA512
9f02797e4d7cbc325364f637803021edda92b34c768b585fdc4eb5699558bd76811921551053de3c5c09bcd8e7c0b44c168d4f5851786508979cfe3e5cfc4024

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
560B

MD5
bf4a188d08ea331e0bd8a6dde949af64

SHA1
d8585b8a59c396ec61ef2a5ea853bc69cbd7cd8a

SHA256
3f48e3ec06a48cfd3abc69f619e201510915cd279e2d40ccc8459aed3f59298d

SHA512
f6ab250948b9da3df007b3effef18f1b3b6561684cec6eb08a9828c3dd5b6ff15ec12cafa9d45d1c0bf7ca9841f744014fda1da90fee3d5899aaafc6fb826ade

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
400B

MD5
9b377e489eb786fcd6dfd55ea9cbe090

SHA1
19749596914458853ef1c535d876cfe3fe733ce4

SHA256
25142e8d029c601825b069de87d829dadd862013294f2d8eb51dcfe75e83bbb3

SHA512
ddd6afcdc523629a706e3256ef9766a9923334f384ccb4fb9c20396e7d3cb1bfab71a93d08ab5aeb70dc47c4ca58a27b466f637f565ceadc00c4533aeb5f506b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
560B

MD5
ed6ca11e575fc54f052edafbc8072d75

SHA1
336489737be40a76d53e8f4c325cba200bd30f33

SHA256
508154aa955bf18fb4acef0f579b7a6fba524c935587d287dbb332d90715820f

SHA512
ca3961734385ead69172cf342c7c52f98b342f5a60f15efc9eacc0ddaffa96031eceee32241811bc17f07e85dda55b49644d5e396ed2ad5674c479c6abf1840c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
7KB

MD5
eebb8a0dff3df83a287d96f0ff3a4255

SHA1
30206db8a9019c8f9456568313939946f6092d62

SHA256
8c77d4e88be72f28e90f55946cc9693d0e3b03fea5681a82077ff50ce2993f16

SHA512
10148e6a65c8627d6b477bc82edb2aa5b727cdd7e7d572063bf39d508fbfb3f00056cb34fab6270758e525a09bbf5b0ea453d27527c0830abc6667d50c5b8a64

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
7KB

MD5
1f929757fa97521d86e594f8a8085ce6

SHA1
b35c98153e11fbfdf8546f2c47eb536fbd0976a6

SHA256
a1c2fb6749cd88f642b192a1d46366ceafb900b77bf10b6dfc38161f3ec07fb3

SHA512
4a2d33733b23e17354ba4018dc86dd61e6a281971e876479fde6cc7a83fdc79711f86399aec718ec2ee08947889af0c10e2f83c68d713598968e1e34df8a5aec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
15KB

MD5
23d1bdfe9d3dd324ddcccd26f1f79a87

SHA1
4546f75dd59959eeac478b76cb7afe5d497657db

SHA256
57ab20e48f39b0faf6d16cca69ea4507ac7b2fa453b31d6b176a4be482b9cd9b

SHA512
1dc74e046544b6d1d4721907bef1fce4b1a7a8c24af9630a57626953c6ab9389b911e6fb36ee3367b4d63b9f88697f44af4934967f32aa9aaf04d33a9ec469ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
8KB

MD5
a1dbe38d45b8eb1246369633f1d077ff

SHA1
18efcbf9fde371114578564890ef82cfdfc575a7

SHA256
36b8ad386c773b9d5adae08e5afc6b3c339c339163e4e06be8f0fb544d4e7b1d

SHA512
581ae86e182fd98ff29904f4b295a2fe3b4d7a7fddfeabca3c1f33cd972810e22f0cd6f3cc7ed087150c164b022a98e90c97c1587fb825c4216b733f6aa74c27

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
17KB

MD5
ebc426af276cdb020c94dc038d2019b9

SHA1
d41c9d62a4f3045b02e696efa0c8970fd0c892a4

SHA256
3653b18e3b300db0d23cd95aed7e80ff2b62c870d89377ca50a2769717d51983

SHA512
435b404d8d85685f67fade588998a5313ae0d64914919681cb67bb746ca4d3b55a47e6ca894de59c7cd3f821eacbd69a70ba8e6a130ee903ed8879202cc52f3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
192B

MD5
17221c474db47d801864c08c29f71085

SHA1
22136184bfab62beee0d5c315e45da7cc6c36854

SHA256
7ae0f0e8f796dd43f223960d4d0f192d26c4ff74947fbefedd06593916689fe8

SHA512
5a04a8186fbda300ffd2326e79688d6a528a7a14df72af6148055c581ce87d94c1b205752f19240172bad3c5c2aba42e4aa260e5268ec175c5c203a46a58fe16

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
704B

MD5
d2e9399c64062aacaecf06a7d2a74766

SHA1
f1b314436bc561df0d31dc451c34abbb35dd4c0e

SHA256
f8d2a212262d204d8c523c52c520c7ae014953c1d25762b3074c41d1d7076dbc

SHA512
1445114eb0951af50664bfd16ea038defda1c25bb4bab8f4dd65f9bd9092174613424481115edcf2c4732f74d12b457e092820bc2ff37c48d20dee60be541b3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
8KB

MD5
be9bda2db0aaf2779c5d0efbc1ad5c87

SHA1
1f118502ca220140d81a0ec3f50d010ce3493dd4

SHA256
d5bd00bb00433bdc4faf4deb01c2aa930940901017939759bbc9fc920dc626fb

SHA512
ab68f7cd79e49b1cf523feba2a5f2d41aa9f14d9cf62bf97af8d1f4beeab29acb3d5d57269430993892290b1b2b52b66b118f14f0294b26b883cf14838d29cf0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
19KB

MD5
ca483625e0650891db95aa9571401d87

SHA1
cf985a7147d60e7d42f38f5cfb925823feb063ca

SHA256
d1a1232ff695b735ff7959e36ff00052e266238b628547fc32caf972ac858d30

SHA512
2e9fe7ca684c1652715e79033bb0d5d700cf51743290cd58781dec084d21d604166be36f0bbcdf451ae553c3e4e09bb497aecb66a695877e8c7fd96de9b65221

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
832B

MD5
79aba44e79c2876b5c6dd65f33d9dfea

SHA1
9a4601942c5e427312b4e5de2573aac8b2f63234

SHA256
7b348650383d4e2b3a7cf5d4e6cee29cc2dab29279164e2aa0f9f88f8a4acb96

SHA512
938cf7f87fce674faea437121cf93bd78569061ab62693b4a793b0cc152e2e7f0089cd4035ff0fcb495ff159e6d6038ec3a529bb90d0c93cbca29df31d432918

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
1KB

MD5
509e4f0377e5f412afc5aa5f045c1555

SHA1
844738e09dfc551c38dd48bc8e8447bf2916fca0

SHA256
85f86d050c78de1cb99feb21417835adb61beb6aa82802f0ca5a9fa42a8ee0ca

SHA512
4ac7e71c6ba0a373a04f03f036bc065ebb75ad3eceef4696061a27df49ec631adfefb097cb4fc5450b567642c573c0a73f707ad531dae30cb0fe4709bf8d9ad9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
1KB

MD5
de646958f03899ffff7f90af4dea8d04

SHA1
ebda43e863217ad9056d8f4920e9cb17fd5e2798

SHA256
127bd8a33a634ce28716b9a50e45410357e6f83b78f926995eca97a73ad6bfab

SHA512
83ad15aa67730e83fa64dc16dbbd316a5a57fed27ad3cbf6b15e55be2b07b556678af295aaa70b952831142aa76f6e0e56c199f381c80eda82a09f991d133267

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
816B

MD5
79bc3ac8fecc979077a8dd02f48d4692

SHA1
d73d57f0ffda6c8608f2e73568cd45b8b93d37c5

SHA256
622cf0fc64cdb5ce802c95a64c722adedf9627691823e7128bf2c8a10d577b58

SHA512
803fefce36f912e668ae132bb1c263827f6f5fc4e4d040039a1314c9b5b69bebf894ba13e510af9ee599ab753c960888a23006d4569ef193f6afca7d1b6d7c52

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
2KB

MD5
71de14d5455f6fe9962da4e6ea3d62a1

SHA1
852634a1fb37de8848c91cb7daea2b99417acfea

SHA256
89202fa83380557e86ce1130285ff09bd6ade7f18d93da9d70fc2f9e48f569da

SHA512
29c86ca6b3c2ae80c0d2226623e1fe17f512ed58a6f25981f8ad0d5a496f23e8a9f2e5183ad8f9b33b1e19f97d49c440296907d1cd693feef5bac1f6288fd583

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
2KB

MD5
e05df963092348ad3e02db5414accb4c

SHA1
2a7cc66963db51dc6b99cc5505c69c08b859fa75

SHA256
56ae224923851d43ca61fbfbd07edd97d3fc8cbbb6c967ffc4578c2afaae4550

SHA512
c1a905c92fdeeb0d2c8f8ac5271ff97e2d8f6576a3a2398d8438133026bdffc9dc096f8a9ed9187c71c781825e1b7f0334416f5495858216867217c5ea3746ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
4KB

MD5
4c8be41ab12d37acb8fc02612878bcdf

SHA1
5fe1e9d621de78044b6e2b46d16a99137982f8ac

SHA256
ec88be21b94dc04017af56ae7c12fc7306a3925c9d00463f511c6cd10452bea3

SHA512
167445ec18b764ff736354a761e1f9ea6dae0b6759d2e475dff39a4475e3357d574f7adbd70179352c6c8e09cdf65fce8806355867c01fee2fa5d151acb65bd3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
304B

MD5
eabba96ba5a9bc882da167054ee28f74

SHA1
29712369ca1c8deee44b4a6e7f2c675bd711960e

SHA256
2abf86b3ca86ccf42209ca193c893b55e7f604b345341802f9a0005d6f09bfca

SHA512
1a8f7a648a9e91c94899cc3b40dc85c272e9cdfccb98a8f517120cbf2df96cb3883409b3f51c78c7a3311e0947518b6e72ae919d3de7b5c84d55a8956099fbff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
400B

MD5
19afde66b2e56e1af44d891c41dc5a49

SHA1
6c70d3087b38cdb9d72302b30a50c627333c5546

SHA256
f16e48b99baa85f9926b534128401743b6500d90706a264aa878d3739f86398e

SHA512
7eb080305e618bf47f04b7e14b9340ad35cfe2a488e2bc894080aedd54a8018bf5c6d9c195e31b0e19a8916070cd94524f33c0ccf13deea07b22e2ba09e53e49

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
1008B

MD5
a78ec27ec05bb580ea2c3ee08472d9a2

SHA1
6c14f0f7d3ad68f0efd04a0f375e2cce371b91e3

SHA256
c4b5b154ef4a30fada75d4c34fc42a60f9a44c67f010d2d78684e34aaec90f01

SHA512
012159cd5aa88a6f19fb550575a45eb6d1200a6f1fdb76bf9b3d5c6b1d9fe02267a28bd3b16c412df39ecef6b0c51d63c7c8c7c7754433dfaa71eefff36bcbf0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
1KB

MD5
86137de605afb9fc6936bf3c5586b400

SHA1
2820edc56396d8d18ff7b156a4f31194e195bbf3

SHA256
2c61c5a6b17bd51962f1bc4d854a3057d2f3e5dad93938697db82798a9f42140

SHA512
9ca7dfeed140b0edd733a89b6bdc5b38ad4891db7078b2f8a85e66b3d7e3c96d7588b97ae9474bf1f508119b35dee9d2243e1885cd5d9bb9a2f04b541b422401

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
2KB

MD5
05a25a07b5b00ac44da3178096abe66b

SHA1
0b0daaf7b383f7e3b73ed27bf1511ce156d5dac9

SHA256
84322f60be460569ca3c2c78de20d5a2dacb95511ee514e515395601422aeb46

SHA512
94765397785b24a0510366defefccb85724ed8824474f9997cff6d91b1745c0595f71a7e3b4cf4a7a6f4b6686be20dd6b444ab7235dc7f5cb538fa20b36b9889

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
848B

MD5
36ce6ba9449f62ac46cbd8e2f32a8b56

SHA1
dfc7b83ccc98aee0c7168872c269bd2e4762110f

SHA256
2bb7b0f040b88a3ea3607d2fc2063a7fd7aff6ccad07bd35f0d35bab7ca8e78a

SHA512
beaf6db207d745c13213310f4956355528002ed806908bc1e511e153185553b8592bec57f2debbaf9a76c063962ad114b1e073440f691d40ffef0bd18e5d585f

Download Submit
C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll

Filesize
292KB

MD5
39367419516f5f3df9ab1f9e5d0bbcd5

SHA1
762c9acdb09bfdf40e700645131999202abbc871

SHA256
976eea4567656d536a6344b3834f958f2b9e27401b94c643681770437d5abc68

SHA512
20ea8a64a14579ef5403eae8a6345afa0f9b12229fdb8bc869f7a8cdd4e785093b9f60f9445be738266a161d75f53a8b8e42a69b2f9b4cbf4684f5dbf5113ae9

Download Submit
C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll

Filesize
7.1MB

MD5
fbd761926164043ac71ee9b83ab37fd1

SHA1
38d44b0f40fa31124ba139adeb6f7adc7e53ee19

SHA256
013a42b8c6ffa29e2198eed4faf6168247b6550a4c4ed5d82023a1d82a08e27e

SHA512
c2a0be2d8b5b98dc19ad167aadc1e68905ad259e3b0e020cfb95a8a816964549c98a9c5bc44b8f4640147bfd8555e799216b8dba13bf0eefed9582782da552d2

Download Submit
C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml

Filesize
91KB

MD5
2e77f3e2bff6c6f9360de69b43570561

SHA1
d1454e0d658590f46f578d312b5311c732ee74ac

SHA256
26cc592ac318b8965f07a5dabef211dc5c71c51d83e0136679e075d6a2a17b44

SHA512
bdbaf43e137a1a016b3e1c5125acf79a6f7fcf5137969eea69a18b682ed326734d3303fd178c93cd4c4a4779d5fb145aec67356db6000394c2b76065ef069581

Download Submit
C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll

Filesize
36KB

MD5
3998804194188c25df75f505ac5c531a

SHA1
6b15b2d779e7c46e31fcc864fc1ef326fb3d2b50

SHA256
cbec9a910488cadbad860c850ceae521a2a346619c5a9da579e5051e270f114c

SHA512
d7cd7457c753190fd1ae5386a62dffbe5907ace02227ef873f4c890f4a4e987914fb94ab1ec8318f48a76fc55cfe8e7de83b75cfcbec0bb8ff0e18d2d956abdc

Download Submit
C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll

Filesize
5KB

MD5
aa6d1a798829536972ac5ba7d01d0c77

SHA1
8ec399faa7c428e9962f116b2baf6efca636e8c8

SHA256
74a89211b2a1bcf84796785fb93647ac6a1e5efbb2bbd14ddcee2e50c15153a4

SHA512
a937d3840bd6102c321ebaa06e01bda575d383aa152c1c0bfc8faa870109a7672a9957c50a6a259ecf481b47450df1814d7d152334e396780fe15760281be870

Download Submit
C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll

Filesize
352KB

MD5
835e9ede7e7c774e7a2d56cfdf6e9b17

SHA1
a43ed886b68c6ee913da85df9ad2064f1d81c470

SHA256
c3a5868584a777422cebcf31d6718fd2b26d5e2314d3b5ba6d8e47aa40faba0c

SHA512
74284fd44497beb74326d11a0f63d96aff20aa44cfa8385f6b63b7e6743403c36e2ea4fb0d991767117a97d320e04d2b21f0a4730916244af4ffdaf51e834a26

Download Submit
C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml

Filesize
6.8MB

MD5
ed8ef3dc9d3ac8c179d4e70836e59bef

SHA1
5a6fd18e7e3632b08b399aa163e8ca5d27e29bff

SHA256
91f3d6351285f8976739460142ae9e390895f03acc6abdad37c615e31fe263c8

SHA512
f1f98b2a1c21b70d06451e5ee5bfbd9342cfd54b965bc7a958d58451b67d5f405e720fc06960c90f05227a3a2bff0869ab1a1da9275fb5ab2ec88a5bddc1db9b

Download Submit
C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe

Filesize
831KB

MD5
9aa4929291eff01d727b9fb88bba080c

SHA1
820321cd5e8fbf81db43f024e93ee190811b8906

SHA256
d55baebe14b8e68afd44227d3ae7307fa07dbbdd91331b892edde93fd027ca6e

SHA512
b52e18c3c8f4f30479c974e4c19e00cacdb850df6e631aeed553cbfee77703e664136385ff7a6b38c90ddf18e0c29a08c51264ad7696c5d8278b8876d3b7fe1f

Download Submit
C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config

Filesize
1KB

MD5
b2540cbb6ec9839a292c292ea7ac8b65

SHA1
ee91fb07609d9e435206386d94fb43d9ac78c70f

SHA256
af825bd6de06ddb2d1f90d51a6c77ec517c9594dc684075a654adea4dca00613

SHA512
c8047d7b2c602ecc4fe021c0eef58fdcfa8f31408d652e9027b7b9849b89bb4079c65ec3c78f85f60d6b8fb9d227a01925b0adaa481913acb75174439a37cd0a

Download Submit
C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll

Filesize
15KB

MD5
17351a51f020d8352c3d8144bf89ab40

SHA1
80a46c4dd6be71f789183daaa6677629654ebe68

SHA256
503804161cd8ff82756292f6d4d24107e6c8ac4cf43df89378f7b5d3782cc2ad

SHA512
ab5b16f296d787a72fed58bcb00e1295a543d4fb5eff00cb82c065fe336d18a572884003e2b519f5d4880546ce592aa9d903ad096a7d78dedf5f72b76034c983

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
32KB

MD5
4c38ec4a72364885cf929b43f8945b56

SHA1
ebad29994685cb4465956468cb345955238747b2

SHA256
f4e93a0c307836b669974fee9f74fb96e72bb024f859e7bde9f0bf0dde03cc35

SHA512
9ee3e0aaf5cd4051a063916c5d58e4fafa6dc9e123af30196e89c149ca6fd7981f24bc3553b4464134fdb981dd006444789ecefd180e6308f9c21214cdbdea71

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
384KB

MD5
09aaf4990ce32308aec48f222ee72fdb

SHA1
d7a9068bcf7276d150c7920cef2bbafdfc088a33

SHA256
0f0bce7818fdc5e5a8d4b77e2de987c4afdf30446babbd521f908d6a7391832b

SHA512
c01163fdf2ef4453b143048653c7444a381a92c34399f34c61772ff1cb6e62ee92f2e9f3411928e7e63e1ce7db51ed5ab455234ad201359713434e64d8d3ff91

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
596KB

MD5
a8c035234b05103c4a9e467d23de4167

SHA1
6af8ce01e2df753582c0a1cb5414312caf179d22

SHA256
af24067eb1d955bee99ac17d05867f6a9d68e41a772c862b539c6b68aa55ae75

SHA512
6b09453f7e63cb981b2d3eeff2627e4ce9597d972d13444c088cc239b6d3f50f4309d6b7831a70cdfffc1a2e971ddb0be7c9fd60135c08036f6e2a6a7d4274d1

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkDiv.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
300KB

MD5
5bf9b48adb3689e1a1b06404829a8e41

SHA1
b00ca9417d922b69333cc6d15ff22bf8f1e4f096

SHA256
ddc27dee1338a51b3ddf45788d162d8fa4570ebdf6cec90e611b7587b1647dbb

SHA512
b49057ca954ec683cb98e2181066343e0057bc3b83b8dbb23c9ac90fdb1de4f9ab12e9dc5b5d25f6d8a6b985ea2a2a078ba97cc3dc8189a3704e7fd165b35168

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkDiv.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
300KB

MD5
91cbf7e4f1028dc7d8d3f0b77a158b62

SHA1
0639670981e449ec0d54ab13e3909356eb5320ff

SHA256
1bea34360d29a57a58c4769ebccd99f07a45eee59d0fdc79cfb48e8263000487

SHA512
e574687eefc876b00443016bf89458d565de11fdf3fa68a1eb1ea6abc115e3b528bd6832184800631757ce28feaff293ef898d6deff0a03ee68954d99d8755ea

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
330KB

MD5
bbf899d50edf4c2929b289e3427910f2

SHA1
acb9665d8a00ce641c71b4313750a843e1f78c53

SHA256
72934033f39333feef096ddaa3422835233c45c6d88f46137b2d0245367f9d3b

SHA512
7b70929f56df27ed30cde476ad28f5e37e889368178ae40869bf2c88850c6b699ce74dfe82960b818651e64ea45e81087739baae474bcff9bd5482c71d58ebc6

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
330KB

MD5
44559417341da711f3043e092403fe0b

SHA1
be64090c7427592b79dab514a2f75a4810f32387

SHA256
9d4e49af3ff1c8d1fabd50940548eb9fa827f3eccc836e6a0d4aa5b05c3a688b

SHA512
592b99ccfb8dc563cf990df9d4b1ba96904e4af83e561e8cdf1d58e5493491a9b77648f71b0c9b347e210c21a7f2a1c63191fec6caac5e767244eb9c5cce7623

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
256B

MD5
2aa6ec1d67368c21621ea2ebcb8378f1

SHA1
49747d896a288333e86de0863c0dce05230d76f5

SHA256
213b8f64d2a0f911d9f6652ec6fae088f5e31b186cf9ffe3f0575ec458fa88d9

SHA512
018019bb6f522361b9eb63a59e9af8da092a458fd952954b5d1afcceb79d883e7a21dc49936d334b0a84da07c7081049184dafa40ddfad3f626f29d6a7e51348

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
256B

MD5
26fe1638da750def6139bc70bc124b2b

SHA1
a512af0353f4eba696e1093d277aa27a17e27fba

SHA256
41991e2100a5309943e6b4b7c114f722e3323ef234ece0a99240626e2a75df12

SHA512
69c3db233ab354a7129358f21f44b753ccb1085a6687b0e700cb80ec030d9bd3a06b8f12e6c58b33a229dcec20d8dec3318cc670c26861cffaf9457305a33ada

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
786KB

MD5
8b602ee4ac226b549cdb09adca7767d3

SHA1
78f59bcbdfac2432ca72ced1e30435b035e0e8df

SHA256
13f17007c05f48c42d4eaaa6eb9924a079ec773e7da4c852cec24ceae09d6d6f

SHA512
619bebe276d830b3da5302399dedd6bd1388c8fc45344f6ed445775e56b800fcc6b9c7b1c1df699973f18e86e0dc3b5fec0f11cb5ab8172b4a21796da3b7d0a1

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
786KB

MD5
63f19e96e49313a7b03cf9f63320019f

SHA1
a5a26cb0998198490d28c370910efda3915e954c

SHA256
fcf004a1c970e54c91efa00d0afc9abe797174229da8b6bdce3ade3afbf563bf

SHA512
16f028fbd9dd104f6eb5ce9e72d317b153f3b7bb9f5bb3c3bb8a6cd1d28157f44af801685e833ad5ea0f07a094ec6ed9b697134b326c7c92b76db2f5b82594b0

Download Submit
C:\Program Files (x86)\Common Files\System\DirectDB.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
27KB

MD5
c4cb0b7ac79b13c643d4d59c62a4cb4a

SHA1
2db51a4e97c689ddfdc889b5f886d9f2a05cb78c

SHA256
4d5db7d9937c476360e650ee78aed11069f06794bf520cb2bb8cfc699f8cb4ae

SHA512
5361ceb33ef3d914d3c6e66776cae31750217c23a553b6f8cffc15d6ea7a0b7b79ba30adec3f995b52c37efb16e358ed011523d945ba0e0766ffdd124c6e7285

Download Submit
C:\Program Files (x86)\Common Files\System\DirectDB.dll.85E594BE542E32BA28C5BDE658804ECE877303772D02F3DB3659A0149CD500BE

Filesize
27KB

MD5
0d11741b2ce746d2064fa7316731432b

SHA1
49b5744e0ac6e66669b79e3bdbed7bf5444d1c0c

SHA256
2524717e28235ce54f07172eac135b623181119f52a46b1be7c76781df850325

SHA512
af8f0a380fc28d0b41191ee876cbdc59f4bc2bee79000fbe369d7ff2a6f796a1fd7d745c15f0b1bf8d0c7ff25a20f08e7b83e4a303bafa1fb5f06deb774de91f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
241KB

MD5
b785d7bc17aebc78e7c4db48df69f6bd

SHA1
f21f835480f7a34b5ab1993defa44f71f1948ee5

SHA256
4ffcf15913f0a28ba1459fc4e6e6f49851c84cc7c44c60c7f4165a3be1d4ea9b

SHA512
3df4c3e53516cea14452ec4746e43619a60f4a615ce31104fde137bfd2a4183be54b834b6e0d9c96821a2b54db655ea008b60a234b7caa7c523436389bb6ea9e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
194KB

MD5
d660eebe80806f4ce3cf3a14519291d3

SHA1
d203d750ab68a2c0e1fc289e0fb50d64476804a3

SHA256
7c6d225808243e7ff773565517a340494a37621637a3ac858a1394c0d1083f28

SHA512
ca111b384b3b411fbbc24f7baafe0e160fb9b1884d155652bc2a35437535d4052fb40ba9453c08335811e2cb84e5fe75585784374ee5ebf913718c21c989c721

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
184KB

MD5
a5274cf10cccf9f61d8fe7bd54e33da5

SHA1
985b4a7c00da757e3236c20640a9cd84e3427f5a

SHA256
83f534d37046e6ee16886bbc8bf7f840c024244397b7714d5d50b4a09dd6bf12

SHA512
a519a547dbe3a3a03bfd522ca799f89ebae743c017d2fd1a4f7e84e15faf86bb910783b874a57ebcd15760713214300f3b5018c27f4c34b6e9cef71afae07ced

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
639KB

MD5
f2fa05cbfc8cfc8ab80780f3a0753739

SHA1
491ef933895a759d12a8aa0e86896e74d38d326b

SHA256
95e7ed12ebc652bfa87fee78c4884fb0acda94f230b3e25bef84869bcba935b0

SHA512
1f1690fb47dc3bb0e05eae00fa560f5e6e6134aee308c7f1faf2747090bb560b9d22904bbea06cbb4b6108f65b6fb2fe45a0fdfe4e05b9f3a1bcab7a7caf698f

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
820KB

MD5
6e0631efe4cd5de249a82c6624d4b703

SHA1
d888dd813207b37f92337bf54080dbcb31548a62

SHA256
43e8232713560eeabad98b95c759d54a32336ae0f5183f2cb692ce920213caac

SHA512
51977e55295b67fd2dbb85cc5cb17d92f85a89d11ba3397bc4b86c09ebb9d82e8b7eef8d068680461b8db013f65ce9227c16f81779782eeb62df5fd21afb1c5c

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
837KB

MD5
a1e273e9e1550b2977c37366ee78d618

SHA1
8053c27b34347a6eea23866da264edca1c258605

SHA256
82dea2398775691df051caf2be657f75ec46f2f02e029b4beeed5d98ecd89b75

SHA512
e671bb3540ad3af230d98f3a3facd3b520abe3a1b739a77f4b89e648e8fce3f734a771fcdea0fb07243e5c26f387f8e1066205d0d5df955ce6685032990f40b3

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
640KB

MD5
7c1add0c9eb6c71cdfe8d491b5d067f3

SHA1
a0c50a2b8d9f25c6523f93c463d5a6784ef13803

SHA256
b6ae3812749d9c63321a208d6c199ad0d182151d3613015c7c462d527169afca

SHA512
582c9104829b69b95d9ca587cef45a7b41e1bb453d9ac8b0d102e4ee310d7add167d364004f060f6fc886592f8ae2a6a086202a03ed42de77c611be8d873ac14

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
660KB

MD5
7221c35617a14713d51ec5eac50295c8

SHA1
544c6ca17ef432d496f363bc6e512314e1561477

SHA256
4778e68f6420f76935a70c8e4f613b394890d1122d0d8e8bba58bf5fd67e8544

SHA512
8a41f953647850338b4fa0d02bc06df4317beec3ae89582274b6e0e17aac1ab0c6ed601f032b6920427159dfca26b89edcb189eb287f89df0a85456b6163571e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\128.png.exe

Filesize
197KB

MD5
54868993deed41e97dd62cfef67c39c0

SHA1
95bc0294551a5c3ee1217e467bb037d88650cf41

SHA256
614d8c61493235bbf7cab467a0b5a061b1d17204417b9726edf50d11f5be6474

SHA512
8d8091aaa6724d9724ab6f4d59696ec47fa39beef78a70fc105ea798e949e123408da6ee4aaf5b9e3a66245f5087126e52f9fd08215ea580c6ffbb689ac099de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
186KB

MD5
ffa393d74abb32a67cef9728fa85b879

SHA1
e094d607ac85bb38cda9ef4317f3f192ef7b4577

SHA256
c576cc60cf619d5c9ae3b34f0b48cebfeb5b5e0e36ebbdfc40e13578372a75e2

SHA512
69d4f0fbf3563deeaa3d3b9e99c5ede1613040514d85a15e996fe0be4a5df60299656f58cab93797bb15da0a64cc503e5f1da30ba4134884052c40d144112c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
204KB

MD5
c574bb073153bbceb527b73935cbdb72

SHA1
a2f0e201918d088439704e6f22475c7798da0a30

SHA256
83d2bf07149b462ed2d8f85f2a7b219cac64fc3035d5901821d72f444415eaf6

SHA512
7e151bf37657ec118e7229b2141e098cc16ffbfa3b60534a4935a03a6341e0aabcf9bc2e6e1da87522cf430e41f1c9a7e02ba8bc75116d609142362fa29c5490

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\128

Filesize
16KB

MD5
e9d2ea4d7f592da22b97d4f0771414c1

SHA1
9f457689ef8d80c7e4a344b9c1ad3df40af12607

SHA256
97f41f95d7609e5bc9a0c178064b52c4fa7aceb969ae2b44f4628dd79559d949

SHA512
dd37ecdc81cddcf5ff676eb2823ed6de2d00843b2dd373789e8d61ff2c13c3015c49b642f65b842230e5839e13ea6498568ecc9599b8960ae5476b0b07769278

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\21005

Filesize
9KB

MD5
325de0dee8797cc856b0aacd77159a26

SHA1
6536c70736c84be5a49ca675735f312f55509e6c

SHA256
dd1591265a3581c0c445527bae2592d412163ca454facce57a73b87d60fdafcc

SHA512
fe8c6cde9d5a3b387ebd763c578b211196c0d91e47afd9f539fecde66642965b6eb02dd654d610441e41b5f53a273e37feb720a68edbc61f673b883870bd63b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\24111

Filesize
16KB

MD5
c3447b825c008fc805b7a43e65af7763

SHA1
9b971c7e156cc93ce0f91f54c25d03547ad72523

SHA256
9f3afdd5487be075affd0545ea648642264a492c0a9ce34d25e92e49caf280e8

SHA512
c29060452d40739aad06ba2eaa673e23ded3c4e0e0fc19bd6161c7c45b2030e0095e13a6a4b2bd49c70920fdb2a2e633137f6f340dc1d7acba6542628ac395d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\9655

Filesize
14KB

MD5
34696be8c4ffdc976698bbcf4da004b1

SHA1
18f32bd1336f73e40d14cbb908ba9a9a60f65be8

SHA256
5f5351d4b628f932b00b7b091eefe7b0a0a860dd4f04602d838b84a9bba58535

SHA512
c04bd67bf6193b6e543cea32d907014f7fcc335a614cd8cb8865eacfe907daebdb80247442f693b6520c4e1a7e227fff7a4a15733101b4d4a2cda9c673dfc98a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
775KB

MD5
933c929b169ab2020617248e3edec258

SHA1
be7cb5899303b52d69dd692f0c1787125f9d95f7

SHA256
bcb72af627b2cb65a5eb76971e8c21ee3dcb26fb5aa769ea02894918f70b574c

SHA512
f60b01f515aca08e6a741e7417d377b74d64184acffcef3da9bdd14c207e295ac6499ed3983e3a2bb096a6fa749af141e877f1bdfc0145930b3ad9f7a242eae4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\4412D919A32B54AB53754B2E68861EB10099D124

Filesize
114KB

MD5
ce3e65c3ae4f8d1b3564ee82b2f50c19

SHA1
94d9b68300d8fa897151b708674c3a0b38215bf5

SHA256
04a5cb5a8c9f64cb17fc45307db5af17318e3ee841bd5876465998ce3bcd6176

SHA512
862700dd978c83f59b8851127c2c56d0e3f533c7309cbaa36c1b9d6e335f8922de3d21a78012928512369ece6dc45d8f370065686315738736559eac81e1c747

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\645AEB44FBEE3EC2FE9DB6CA5209F74C6FC79689

Filesize
123KB

MD5
cd98276b0ddd368ea3357b206d6cbe0f

SHA1
dee6f1b643119d932dc2707fc6c5a19867111592

SHA256
0cafe740a229d9a2216c5f01d985ef7e0d95b6ceac2debe00fbde68f168338a6

SHA512
7d04e443344e242c84ae5e1e608d6000ea3dbe9bf25bc6a3538d55bfaf129fb5bf8decdbb318921c716486ed37e12ba166e873724e97746fcecd1c4091d2d3e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\D16479E925AF122292501EFEF9D2A14A47D3245A

Filesize
77KB

MD5
25e82247db117e53cdd91b8cb6cb9bf4

SHA1
0214a207ebf5f75249e18db8d3e610523af2bc90

SHA256
8c8d54136db488138b0edfa82b9349385f16d0a6c9da3555d81d68fcd42df5e8

SHA512
5e403cc382bf691cdb37afb8c201849b1a26de8118091cc96cb4f6cb86f71a57da6c9c654234c08150b6b0cd0bc578678bccdef1c508b6e6c0ca3329853f52fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\jumpListCache\LQRcX0KSVKVSS3wqQGZ_xQ==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZaAMAwkw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
61660db811bdb646ce90ed00e77284f4

SHA1
15006d158cb20953f9276e8730e0851e36d91a8e

SHA256
50007db99164318e3685dda009014cd4876bd19a2daf8aee3013dc74e047fe0e

SHA512
d8b28d084e95417fba0f8e16e5997b27808865d4403d8aa4e3b953700fea66e4f5f4410b647c46fbe28a7ec298d38763e3c58e8618be987fea03e1682c33a087

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
fc38ed714ffefc303fa9df63f8393b0a

SHA1
18069da086a06fb3b40b708228bfde9113640c2c

SHA256
2956eff62fa78764810eaaafce6e37c097780db92dc8a5628625ac9c3607fb23

SHA512
35420fb56dbdc50c0b33b935442721e1ca17378e6e0e79872a883a5d6ac61d3e8138f63bf85b435091d867643b855ba4a8fe2fb43edd5c11205608eab4c6d9e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\a142ce38-3126-4f0b-9abf-c99aed7ae34e

Filesize
856B

MD5
68420639c879055fe781868e558013cc

SHA1
73c990c71d00a1897fb36f31a22f3d760efce659

SHA256
170e58db396ce23ab4bd4d42c11c343c7c87b86cff498fd7b6b9bf522b84c8a4

SHA512
2d620c4c75f07c2cdd4795a6ba4a5be4178c2901cf13bb0eefcce2905221236aa51c6dad024d1711a6fa43ebf33b341c21c7d94e1fc5459e280e377eec48eed5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\a8455d42-7605-43f4-9c30-c9681f775cd3

Filesize
1KB

MD5
042fca0de38e1ac94dbf6b0fcce8132e

SHA1
4b487b64014fd02f04dbe4fdf8d6a3383b91a911

SHA256
cce803d6f388eed6c51f266c0005f9eba1f2f0125746e19c2a99dd439720e9e3

SHA512
14c6e5ac718a9f33a20794475ad28c2d7d20322f6098484b7bfca9ab45d350410d4d9ac13c17eb8ef31005763cdb7631366383de0c8fd05aa4cc210b68b3d63d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\e75f53bc-6156-48eb-9e5c-52ec281e8e79

Filesize
734B

MD5
771e416819614499b0942711543c6728

SHA1
9ebd4b13791185c7c709552608aafcd5ffbd0221

SHA256
6c9aba84c27b3942f069745acb1e1eed084e7f20c0cc93fe6ff34f317362acf7

SHA512
feaa882fadcc0274b3036647a1e1ac6dd8c8699f9d26a1b7cd6a197eba43a35d69488f4ad17a213537b77fd55177a03415fdaeee1639675ea8e53cd4071e7372

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
1f4424f3767e6dffc451eb7a0154894c

SHA1
1d5553d94b65cebe4aef414f55034e51d6a903d5

SHA256
4d8492929e1152aa53a7088b4d1392fc20219287211fa77b601104e1fc2afe26

SHA512
c2f9a1a3bb81383bfabb15516544fa45f27bf112b0bc1897746380fc9d16a13fc1dc1efdb841d3f455c4a494a7f86973d093a9d93713627f21e7aace77675787

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
3c3a4a2d4b0f828b06dd28b92d0076ab

SHA1
c0cfad9c9197cf67b79b38d8114a451a35e81f40

SHA256
60cae3778d0044d9b4cd22802aee11e2b6b3e3353d3a37c71eaf0265ff6bd56e

SHA512
ad72bbe267d41afba893f442d049ba5049bc192b8d67d3c00cbd7d11a79750bd89a52cbcd8df088b83766091eb404f45a44d5c8f7fcca904e4e6e53de86747b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
0d007dea56705417db75a5772da4d136

SHA1
6f61166e75e6e2b5358f763608a72bc270031dc1

SHA256
3ec6936727fa3fd9855fddb3665c684e46e30d89b8c468c5ee6e0fd48683d936

SHA512
0ac40548d33c52d5435793d5fa3603b7d65349f13b9ac0aae6ea36c06272ecb7af0b028a31863ae4bfd8e1a4799eb245e96cb7367104dafc591a31de46892779

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
593cefb51536617ffed72ab44511a3cb

SHA1
efc193cc9eff30c3005d9d7fa48caf2bbad0ddf7

SHA256
7e478e656259d7f6f5aeab70e708922905ac6a70587c26ffb3b8c9af44aa0996

SHA512
fd67744aec9898a96ca8a2e258ada84cff40b114f8adb5027128f3d0644c802b8d49577a40774d3362cfd70cd968da997bce9e5cc0b5930f0b0f5888144cba92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
16KB

MD5
dae7199aaab5744151c330a68b545f07

SHA1
21336e4eef6feb4eb857e02c7ae8a80033ca81a5

SHA256
3b4c1bf9c863c0c83b910a3416050bd6da1c6e5d84735afc2d4a55d9300b309f

SHA512
105615685edb02cc3c5cebf4734791286e831b563a052c1991dfd02f4e81c71c53a81f9a4d2039e7a87c248814ac8d1b9e65f70fb0a1534fb7bb530b89d2d938

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
4cd622814ee7bb817e57134ef367cea7

SHA1
c3adc8693d62c5b8dbbb4df01d0d37cb89bd2000

SHA256
d1a0d7d7032cad3b7e59ac5f4cc0ee6b1117af8cc555f4360e4526608f071eb1

SHA512
9f385f0933ec4b70ac93b4ee7b6c325030866aa5e1fb82253ecdb1c718e4e1e67235f8ca691a9a3c1d716ac0c55e9f30ca4d8048d8164317c1b1016e33105308

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
ac3609ad30c310c578041fcfcc0b5ac7

SHA1
d8eff90a83751700b1be0e99f4c61a55988cdac0

SHA256
dea91aa41d2ce1c85cf8fa65699e8c28634fd74fa2ff09d61c656690165debdc

SHA512
cf8615a55b3b818d041717746a3e978024950136e2f796f9a1097cf6a8e92045fdec60aa2befe608b3bed3074d9ed5d362e040a583f27fcd46069dd548b9dbc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
f44a00ec7ba1817827c0c6af4b43afa0

SHA1
be0f311ab465d6587f32e7066ffdfe47da2024b4

SHA256
508769cde2e48865598ec88fbac361c2548091aedef7e3d80886bf2e39f1724c

SHA512
3fa47cb3f7856f481514e67cc22afe1387e7cdcfaa22f4cdf8b50b9b876e97eba79eefce41c765f93ede4bb790486a25f819734cb8a44830bd688bebe8f52bb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
678ebe520b2ea55c99241dcd9ac8de7f

SHA1
e5e04f7ade95cdc49f37fc9362c4a3ba8bee88f0

SHA256
d63a1bf8b1ee6ab8bdffb0d5588f4ecc0401e41b60801f9986c946e16e83c0b0

SHA512
22b82955a87e9e3e585691652ca03d2081a8d84eec3d72f85029dee1397e03413a64327ad4bbe08d12dbd5bc49f94d02f7ffdf18ad8a7c1b085c926ffb384fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
c9b777731f6d6496e89d34a95f2183df

SHA1
2811004b87a69ce03cb44f95d14e369e780431ce

SHA256
a0abc9f3a9f88287c9054f259c85b4ab33829ad6af9599062769ba7b4439bcfe

SHA512
3dbb3d0b90b4d78c9c48e3bf71bf53385b48f6a58eb49cf01985c513097056707d405bec8c96471a34ef495b37b0af5c05c5e7488e591535872f6c68d0d1face

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
8da174cb720a5f1700be3a2e2677217f

SHA1
c08ad4c63b707690de3eb5ff331ef5718b9f12ab

SHA256
9a345c366b8d0579b9a29449fa6f18f3dc8f323c9cbcfa52df69b392a2979a77

SHA512
5b60a89b339c05242b6e3ede8bfeb4910a765b9677e85fe1c4b0927e63764ccdeb33b79b5aa52e46c5f4f1e5983a19cd64d200906d15cc201c04416d0b7f726c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
ad2b3e02bd9748e9e26a5a7e313040b2

SHA1
b09c26f1b0e1e551473dfbebecbbb1ce985664e7

SHA256
87dbac7176441ec28783aab95b8160da17dcdbba4bc29524ded6f46f17d6a4c4

SHA512
bf001b7145808449ba3111a089e657a9f8ea71e395c8de5bb898ec58219e2f56365fe2e4f20a3cfba84371f112f9556809533aafa7f8ab206a4d8c4ec6746834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
6f3290bfa17e5430f347072e0056eb7d

SHA1
f00db584d2b7caf6efd214c28065ada150bdb789

SHA256
0eb51d46db6d27f0d74d6bc629854afc59fc4d48b90298cced53b1560a01438e

SHA512
9b1409b4a2f3642898836d41de2e77600b5d3d4b82dc2cb1081b763e701283fa49c2b60b16f2a27d4b7afd7810c3b1f9fd123d6826990ba16f0a74b477873d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
a78d4e6bbb22d524349e8c265664e8d5

SHA1
ed153cc0e6ca908d9c8b93304a78017006cd2ff5

SHA256
08d6afb051f11daf7605b44ed7d10c925633f6740aefd5086086d03a287d3910

SHA512
4da045a7dba291cd8f44b572f374661d14a26c0430d4fff11a56fed2fcf324dc5bc320aed9ed50cd33c477e92e900583f58080fb4e6c56ba36647dc5ea51de33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
52e5ac549f7c44d3924f362443f60660

SHA1
d599a94cb7d19dbba15e217ecb48573d94fa1f20

SHA256
b53ffe27fe5bb9a20106d35da81cf1b760105bd212266b6c691876005c3eff5a

SHA512
031ed18fcb75c8c4c540a5117abd0689e0e1ff0dd17f69a0dd211688425248545319902331414bf0387ef8c3a42cfa0cfa7117b5c69350e8108104fa3b5a172c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
a40b0966a7f8abacec884213433d6596

SHA1
daea4bc75f87dbc9f47d9a0ddbbf7b5fbc9f75c0

SHA256
5bfbdd28d56e59fff4826b1f0b1cf120f1241c6b8bf61679d459a781479a348d

SHA512
089d2af03b96fb32928b5aab3ae5e0aa6ba4fbd1427247103bf6952b58705c8003ed8d5ebfecb7681731cbb173dbb71bcd4cb7ae4f7484955d8cd0a1c8b08cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
efe6a1dbb8e7a7c3b69641a9acd84ca6

SHA1
5240985e13475525d560b49edcf0647ced48772c

SHA256
466f2ee0422e28ef6dd9afc8c6377ecb6dc9d30bcc209bd54065b5e7b783dd21

SHA512
4b3878f877acf33678cfc7bf9a1c6bbb1d015e79c93e66db5b305a3bf4259d263de99411397938367dfb7846e6968eb1cef3841443f6592e63a45cdac6e41488

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
42b93b903555090f3a944f717715361f

SHA1
7f53c91676d5cbccf6b79eac45bb345c1591523f

SHA256
551a57f82681c449a093485c3602e80c5c8c49cd78628f8788ab8a0a3615128f

SHA512
85da09d9d7960fa35be4bbabb85d0bc7dcad8f647d6dc3d7a4adb60fd8bf1bb14e1019cf455bf5bbec2e6dd3283e72fbb048bb8c28a8cc768589e131b341b714

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\Documents\Are.docx.deria

Filesize
11KB

MD5
7257a4d8604eb1ef8a96a91d9b1d317c

SHA1
fc91a9917db00fb85e294a152c5dbf4331622c17

SHA256
e6e50d9cbe2c23cb053dfdcc92720b310923c87aa507692276a6b7e0c4bf8f2a

SHA512
aec5a7fa8b89106b7a81a1e9d0c7ba8165796a6250c57d5dd787f97e340492348b8a573c65c325371dd2148f67559080f7ce0dbc4c3888f4f75fafa312c8ea1c

Download Submit
C:\Users\Admin\Documents\CheckpointLimit.ppsx.deria

Filesize
758KB

MD5
992acddf6b301d036ccd55969cf64233

SHA1
56adb5f505a5eeee32564ae34039763642ddbcc9

SHA256
6a367b9ce8f86dd5969b68eab173f370ed29f6b7c3e8c382e27b45ebaa08bfe9

SHA512
125a7ca262a28546f4ee7c466a6db2b8657cc7ad0d2f69604334358995dbc0452c2ee46205767fc89150ab0e2f27881e78a983e1c1e13506dc0453233c4728f2

Download Submit
C:\Users\Admin\Documents\ConvertRestart.vstm.deria

Filesize
1011KB

MD5
a63f1ff250c039e68fa5cf0fe9bad0d3

SHA1
63fb69d6cd3db9799210ffd67f78507e1bcc2c27

SHA256
22ea83867f14ac0f264c8bb6707deffd94a7b9625ac6079b9da2dbfe6cfdee86

SHA512
bb82d193a13edb91f682f009538240f9d195263c963483cbe97247df92c925e3fb9c4f8ff050729afd6017c4ee0d9c0b9c926d4e6666637e2eb10d1cf47718e0

Download Submit
C:\Users\Admin\Documents\ExpandPush.xml.deria

Filesize
859KB

MD5
00eeda91b79896f07bb0b9a1988d9508

SHA1
f11276c56374a67cfc297ab9c31b38fa4d9ca0d8

SHA256
ef611e19fd47cd9cc74b6d07afc0820dd962a743a5e0f48146ca0e8f24f5d39b

SHA512
7449fa8c622b5a6677512a7592cb6b75aa36076932ec0d365a91cb3e99523b7d57b9e7dbeaffb9d14e02b29696f5bf9140bcd3f7ef3ab8dc287f1089614fa651

Download Submit
C:\Users\Admin\Documents\Files.docx.deria

Filesize
11KB

MD5
013ae46b8df11356e2d027da16932c2b

SHA1
d243fbe6e6f862c8853a850703c16eafadf1d1d7

SHA256
d514604475affd9a36b5a1c4db96e9988e95b01f5e36df3fdb6d0d909d5d6da2

SHA512
aa1c0baed9b673dd934a5c9e62c1d1a65d9d136079395e6d4fe83637df9d83e0bb626d8435de73c14514ce611eec6ddb6d7c4734c6179622bd35b08cf972fc04

Download Submit
C:\Users\Admin\Documents\GetOptimize.vst.deria

Filesize
707KB

MD5
ba741666c8de964124ccd56bd9db5543

SHA1
c5d20545eb0488b1853a699c0ddeb21f271cf47d

SHA256
40b95ab8b20a3c97c7a227f40e9ead75a68d7fd5fd6a920da9edfc5480dff978

SHA512
22c1699644a165c7a6b216ba79312862bea3f046f472dfa7c1ae9145e20068125688b3c2cef999723dcd3d63158a314e3a068651e580d3e2054c0e96a2cf8b82

Download Submit
C:\Users\Admin\Documents\InitializeUnpublish.potm.deria

Filesize
606KB

MD5
940c9a571b618a5861ffc1663864ca3f

SHA1
51b67d23960829dc9b595bba6a09dfe2d7d84dee

SHA256
cdb3774e143ddb244928c59c30902e130e5bd05302604eda2ca6e33fd3f40312

SHA512
4bd5807b7f93a73092e5a7dc2c509746093c9a83fc1db4c716fcc40f66f32666a17af41d21b4d8065fc67e488efa015e4aef430ca2c02ff712d78d7945745641

Download Submit
C:\Users\Admin\Documents\MergeClose.potm.deria

Filesize
505KB

MD5
3042c70bbef1f6b5ba7cb7129804c2ec

SHA1
af5a2ae75f88f4e457f51a943f6bbab7ae6aa710

SHA256
2ac16629d94d0e5e520a8d0d66e3ea6ed39655b7793ed1901ac0ada6a1e86899

SHA512
78d0912b78a02321a5d29e97834b184d4f868f945fddd51fa514923b2939a05bade6a7b051ae554da70e7cc7327f13e0bd9a7b5564cbf8c68d9a10547d0400dd

Download Submit
C:\Users\Admin\Documents\MountSave.html.deria

Filesize
1.7MB

MD5
86cac74fd3f38dca4cd96b0f878d6f78

SHA1
c8c0c04e37d0bd88b92633c2363fb57d6158e910

SHA256
d9d8c3fb90dc8680d16f02532eef948687135e6c7aa01378f9f4124ece6ba663

SHA512
c9620cf72438bfac021a636f50054b315e479a0272d8bd0c4f84c523351e3b5ae4bb2a770a7c12b0df7f9be286027f123d4e059d1f25b46ba0ce70d9344a89dc

Download Submit
C:\Users\Admin\Documents\NewDisable.xltm.deria

Filesize
1.2MB

MD5
51213cbebf08046bc38699d4457460ce

SHA1
869c6bb0a246b2c947807c58453e94af0b852332

SHA256
2620e6c7ea97c858301df79d9794debac22e78008bf461193ced0e704ea7c547

SHA512
fa096059475ecd3e15113493fb67e1b3a58667f7a477ffd4e77d6420cbe5f2be90ca1a2cbc371f0227e086fc08ec0d0ccba511bb1c55462296f49ae8b7bb2a95

Download Submit
C:\Users\Admin\Documents\Opened.docx.deria

Filesize
11KB

MD5
2070bb03147787c1b7b5a060929c9179

SHA1
430e5366d516f1ec32b44b7b8eda69e49324ad3e

SHA256
18fce06af393982cfe938a12ba8e85ffbe887c8be766ef91743b8e2235824e58

SHA512
130675e96005e884a9c84728898c84be4df97483375690390f702169b3b0f8bf92a0bad616469fe9d14146f98acf241dd2d993513c805ac0742ea97a4908efd3

Download Submit
C:\Users\Admin\Documents\PopConfirm.vssx.deria

Filesize
809KB

MD5
6e1a549b4388e9ace9c7263057fd99a6

SHA1
08ef23ad08785d7aae149dba989ab17995360132

SHA256
d2f7f2d0c90788dd74da9004c3fbd27dc81c7142dc8363e4f3a1007e208c6e62

SHA512
0606671f7e75761e50201684f6f99462bda9832c020abc39a1431c9afc5ebed397b7c74ef73a7c6a5b8ab2ccd48b83e3621e969d7f5cbefe190790040dab26d3

Download Submit
C:\Users\Admin\Documents\ReceiveUnblock.csv.deria

Filesize
556KB

MD5
2bf53e4ecb43ec39ab4f939c3c878a3e

SHA1
b7baf6a14779fe854e61afdb2a5986bfca46cf06

SHA256
1db7dd9bdc8f8dd2d5efcd8fd4321d042d57641e88d63a61ab82005d1788f481

SHA512
897f20c376f6740ce0594728cbe2624e2667f783f23390e197d70221ca8654494b6bbb460aeb24b33890a11b002c78422b66071289a5d8ce89642e56d09d028d

Download Submit
C:\Users\Admin\Documents\Recently.docx.deria

Filesize
11KB

MD5
ac1767f2d2665beff6c755524af6c5e7

SHA1
f22f0c53017ccf699ccd9645cbdf98d4e7d78e52

SHA256
33a39ce19c8be90b9f01da4fe6a5b419bf9795e5d1cf063c6b0296057ff5fb74

SHA512
37654b355da91f70b55e5a1f974c66ab6871525229fa8bc86aeb8710b6d859ce242e1c827992efb2ded3921184b276847ee36d3cd65e1cd90403a34d9cd4e80b

Download Submit
C:\Users\Admin\Documents\RemoveRepair.vssx.deria

Filesize
657KB

MD5
fb79c3c17dcabba4ab47b3204dd91f0f

SHA1
6d89876449a90db448d0ef60731027fb7c693260

SHA256
1b85f471202c7fb78fc89620bc471dfbe0e312bee8efac7a4e91c3bc69bba480

SHA512
79f84d2493d9947bcad8d150352f65e7c14cd938e5ba491f822a1d9778d50a998fc405aa9334b685852b239c5e33c9fdf3b645739251a5ca774f7e42fda81ac2

Download Submit
C:\Users\Admin\Documents\RemoveSkip.csv.deria

Filesize
1.1MB

MD5
c2e177419d21e352ccba99058dff5cfc

SHA1
a2286449a57494e7beffbdb1d342f660637f6c70

SHA256
e2df147a4b9268235554c4ff7d8ee27e19ecbf70d4ddbf360d5fb5d52bee5290

SHA512
bbd3eb0c05a482acc8e2814596c2589cd9c54e4a4d62830922984406ea36509243dcec60beaef96f419f8fd6dd68f16ff0340ad8e9b829e96c8a5e7815dba474

Download Submit
C:\Users\Admin\Documents\RevokeResume.xml.deria

Filesize
960KB

MD5
a7bcd0f50162a163eef08672c3e840d0

SHA1
6d49ec163cd8386bc5b57ecfa47e4e72817e39a6

SHA256
13fd567c5c664125c3c36224809cd5df402bf490b2d74d07042fe4654a95ec2a

SHA512
2f36b9b80ad2bf1126a9c05f62980a4fee625f2eb36df4f1f3d93c5b2b71ccf6bf3bce96ed45532757a0b2b7694d48e57cefe3b72accdf596892c4126058f795

Download Submit
C:\Users\Admin\Documents\SelectReset.vsw.deria

Filesize
1.1MB

MD5
6ffe47355a8a356b49aa5303c6a7b06e

SHA1
48580cec66ca0e6eda3bed3beca9e927f9543e08

SHA256
84720ce2334dccbb056dfa2bd51d00c8a033c047e1f6858e3e4c179b8efe9abe

SHA512
b63262325ced9fea68cbe2261009b332383b840d5dd98878a121687dfed4a0ec3896b0fadf2c1307214e1974b2371b2db5bb92d137e960dcc0ed5f68b5f7eb73

Download Submit
C:\Users\Admin\Documents\SelectWait.xlsm.deria

Filesize
455KB

MD5
349beed141ff39606de9b2ade31505a8

SHA1
6b4322d71b4450e0513246aec55598e4a791ecb9

SHA256
85efa2faeac9e31676ff68756b4254e2c0164d5d609cd7983de52defc57e45a3

SHA512
d29adc2de4bdf9c209abd4982e5d21f1fdc20d04cf81cdd9bc448ed5e719ccea55aa369eddf520e62fd24c377c2ec48dcee3773996c1139e1a98580c678ce277

Download Submit
C:\Users\Admin\Documents\ShowDisable.dotx.deria

Filesize
1.2MB

MD5
4501e7ddd5003cdd26c466010be74267

SHA1
74993e0f455678e4ffb79f9a1218730f69f81d82

SHA256
3857462520a6f15bd508a9e41a545a77b30883ec39f69d412250b7b22ab8f41b

SHA512
edb8f6952eb46db9cc04c31e5abaf5f118686451eb26c1a66b4d7f721716fea9e0e24634a7451e48158f3f35aa96a6ede5e8fc511589cdc1b0b5858e2b1ac877

Download Submit
C:\Users\Admin\Documents\These.docx.deria

Filesize
11KB

MD5
2672333e7959894eceaad74f8d6de7b8

SHA1
8407438088b0f1b671b559bb0f67aaf4294eefea

SHA256
5801a19a4b5690ab1e164a14e21df4f8eb541dbcfefcc81d5d88d4856ef3ad29

SHA512
e96fa0839d9eefd447db207f979ed1d639f9674315f2a6ede2eacd287656f37cb6045afd335e0c645d3eefef935c945e26f9fbd2b1681b06e1651c9936055a52

Download Submit
C:\Users\Admin\Documents\UseGet.pps.deria

Filesize
910KB

MD5
40fc726b1310389ccceffe70ac6bb843

SHA1
bd3d9118d4af71a1a6a6ca6f90cdf8d85ba6775c

SHA256
120e84f2cc004a700e841104c5369f6d264ade2cf33eff64265c54a9cd935dcb

SHA512
2dd7e6eec204ea60ac0400dedc5181af2850d3b9b19cfa57154e1580315ac16fe5fa7ddcac136ed6dd470dc503b93225296684f39daa5b59ef92dc01811c3542

Download Submit
C:\Users\Admin\Documents\WatchAdd.pptx.deria

Filesize
1.0MB

MD5
bc4c4feb30f3e8c52e64f010b75a9efd

SHA1
8570f7ab61a691ec4c3a9679ec9c0b48d64469ce

SHA256
782fde62a37e2ca8b60634d20cf807f758291918520f9ed9156c979f007bd2ab

SHA512
d1c77dbb4bc1064ad1ef200ee3018e1f7a8e02da4ba28717953db81f13b0cf428d40a8baabe850fc31a140d118221b0a8acc152b2c65f1ba301442b91a791c94

Download Submit
C:\Users\Admin\Documents\desktop.ini.deria

Filesize
416B

MD5
56544ff9a9a659e62e4fbacd214606f5

SHA1
cb2ed2140679a640e1af0c81732a83ceb78f9be7

SHA256
4e80bf07432c5e6c9d9ff2112b6dd8d5705c4261b724f930f6d39a0692875d4d

SHA512
f58960722ee499fe8ce5e6d67d12b21e79d63c632c08a83b742836da9e832ea5d81dfc5ba06a4489e29b5aa83f57c1df14699aeaf92df74e6fe57c25e1c03b67

Download Submit
C:\Users\Admin\Downloads\607B60AD512C50B7D71DCCC057E85F1C

Filesize
15KB

MD5
607b60ad512c50b7d71dccc057e85f1c

SHA1
a657eb27806ffe43a0b30aa85f5c75dac0e41755

SHA256
3e363d76d3949cc218a83a2ee13603d643e3274d3cff71247e38b92bdb391cfa

SHA512
fc8035bb2c7cc28e091d5c2ae35f31771af3df5d12c54c643aff613e0483c0c82f918f78a35f09877d4f431cf9a4d2619b05ba50596d76cfa9f9c8e33a54bd7b

Download Submit
C:\Users\Admin\Downloads\Aoom.exe

Filesize
260KB

MD5
ef8f2b9c9926d549ca48459b44a5b337

SHA1
b3525a3efe0b0754ae08ca94f3c99897de098843

SHA256
6e636032cda5779cf30e85a7d397f3296e86d2a1637f00dd8d054d4e9da2511f

SHA512
9e630b60c56baab079055ea9c5596af386707ec2a5b2cd36d2365c8dbfa6feeea8bf562ed76a12bf8aa48616d8096d3324eefc62c8a62c8960a85d5a05054d66

Download Submit
C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe

Filesize
953KB

MD5
1d451506237077f8b09f5e977ffec232

SHA1
f8bb2b74d165a1f9e76dd64779f5853277e185b8

SHA256
3dbcf4f75dbe901b2b555f8c929ced4ec56645e4a628a28d621221c6e8f00c60

SHA512
aa075a87d9bc69b4835d081a2cb03cd27b76742d02112ccfa3f6fad85fea7f79996b94c770f89edd33bdb0789ecf53ead43417de700ba89611ccb37aa4d19d21

Download Submit
C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\CgAK.exe

Filesize
643KB

MD5
2a5cbc51e4dbf0696fe50c2a06b12227

SHA1
b3abd4eb8c64de87786c023e4373b0acb6fd4d82

SHA256
e71d435a1b31c41f8c8805131e923390be0419196ada91888a82c931ab15232d

SHA512
a73cb688efac8b5ed46e553621c58826eb1810d6a48b88c3067bf85af07d99ecab71e102c01b47db511e5a9eabce3582f2e40a733d1c0d6356526942f3f67244

Download Submit
C:\Users\Admin\Downloads\DComExploit.exe.vir

Filesize
36KB

MD5
d68cf4cb734bfad7982c692d51f9d156

SHA1
fe0a234405008cac811be744783a5211129faffa

SHA256
54143b9cd7aaf5ab164822bb905a69f88c5b54a88b48cc93114283d651edf6a9

SHA512
eb25366c4bbe09059040dd17ab78914ff20301a8cd283d7d550e974c423b8633d095d8a2778cfb71352d6cb005af737483b0f7e2f728c2874dc7bdcf77e0d589

Download Submit
C:\Users\Admin\Downloads\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\Downloads\EIcg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\Downloads\EQAa.exe

Filesize
188KB

MD5
8ebf1c7080601c3fad43e278d44a86e9

SHA1
7dc7fd4995716e893fe32765e4597a1b94dfae29

SHA256
2327a57bbd3abcd257475af401151cd07f449487a7f535ef6ab0ca0d93a73715

SHA512
548263084865982970e333728928e8834199ad3254be281eafdccee21f052daa6df27fbae6de51360b59a5e6a74c4c7af19ea8c148f8afeecf459a8d71876298

Download Submit
C:\Users\Admin\Downloads\GandCrab.exe

Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
C:\Users\Admin\Downloads\IQQu.exe

Filesize
790KB

MD5
3bee4d2294d27091a669ba6badba19d6

SHA1
cd79eeddf554744773485969566b28fc56b3efa1

SHA256
14b212c5188e03d9b527260c4eb7681e34b52dd7e5c70a8afdad4eba750754f6

SHA512
41af967b5d435a4796568ce690dcc8d0d4b246094a43416da55b4f6178384376d1e38260e737bd1db7366d13e594e481251914ec815db61397795504293c3065

Download Submit
C:\Users\Admin\Downloads\IgUg.exe

Filesize
208KB

MD5
6651ae3f329f0bdc88e2e0fe6162b56c

SHA1
355ed17ae34be91ce5c19ce1b22c53c17fdadc70

SHA256
d8b661518cd976d549b23f3a0d527fdd567eac0fa39483a55f77d3e0ae20eb4e

SHA512
38407726f042749fda922960f495d5ea312991d13e9b1cfafdef7b6c2bf41c87090dd5a2e8882ef9d3edf6c6e8fb6ad7302347e302373da4e4666018bc51acb9

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\MF9wnOqn.zip.part

Filesize
277KB

MD5
57b74cedb501ecda4ffa647d051ed167

SHA1
f04fd9bfb224664060245934305bec4ce2d26ce7

SHA256
c3ae24dd6b0e570611ea13b4f24e3b50ce0c6906c9ce3ba72105e4c91a660b1c

SHA512
eaaea014ca91d459a89a6f1544617f3cf3801521187fe757b08144125fe02ecd880e03726b28e32139bb752dbd52ec4133f707bb8c84e8a9ad26da54353a4d6f

Download Submit
C:\Users\Admin\Downloads\MIcC.exe

Filesize
649KB

MD5
8b7ae1fe09c1ab17dc7395b026a0ec8b

SHA1
6bdcadf74725e4c77072f967c75cb464eddb9ed4

SHA256
87f260d1bb7eb205657e27c31a1461aa5e240ddd160ffde5836dd2369eba71ed

SHA512
0563368ef4fc24922fa83b0d2fada542b354a3710eea4dd22ef458cb9ba703d8f01577bf0561cb9e04faee1121fb1fd90faa2ab1dba9b77e60b004050df9dc14

Download Submit
C:\Users\Admin\Downloads\OAEu.exe

Filesize
192KB

MD5
871fb2c36cd06df4cdf68264dcba335c

SHA1
40773e958b089fad2ab611f64193d966c208ffce

SHA256
f176a782533d1967578c4797b88cab7211ce8a6e095d4faa4cce22481562c073

SHA512
dee64d45da307a26359718a3a3cb0fbd33c5986dcca7397c56377ec0db8f6a022e0004ba486c5aea4873b573c6000f84338fd1d3e611d1fd6a892373ffce3b80

Download Submit
C:\Users\Admin\Downloads\OUsw.exe

Filesize
198KB

MD5
9fdb95b24367ca2a88b1ae5e4dd3a047

SHA1
970d4e89ef670a0496ef5d31917546acb0b991b5

SHA256
99a5c89308ff99ebdef4cd50fd3a31718fe49a5fa0cd79d6d669caba89c2a005

SHA512
5196dc10720cbf08042f149d213b35f09aa387a8f20931d29db842e194f034dc8acc09fd0c0439062c794c18b6c3a9c3d04e299f19c540e7a784cc2188ee0a45

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\PolyRansom.exe

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\WQsO.exe

Filesize
307KB

MD5
fc89c149a49a9dd755c6d7b7ff420cc7

SHA1
5d55176ec30a068dc9e59468310aa1c2377c8677

SHA256
c527ee759dca17e46eaab8126866910dfabd188608d100db2a93141dbe41fe73

SHA512
12e9d1cd3b1356a264b495ca2a944744c0d259e2008b063fe925b343f36c1ab374c0dd5d885a46f892ef0869a2b7a700c467986784bc0360c07002bebe44077f

Download Submit
C:\Users\Admin\Downloads\akUK.exe

Filesize
212KB

MD5
f70773085904104794867ee933cd6ea9

SHA1
26da1af3ae49a0cf88e5c59e0eae5b9b0b69240f

SHA256
721a32bb3939127636849ab80c7d403d384c466de7f3691ebf5c6599fda0b707

SHA512
b7b786f65bf0e02517789f844db6b8e4b53c6aba4b45c74853a574813755d970d66730761c8022afad584780b78d61456c48fd9aeda78c9d4ae38c1a89a18827

Download Submit
C:\Users\Admin\Downloads\iwMu.exe

Filesize
208KB

MD5
64d8e6dafeaceaa49b7f168410c7229e

SHA1
5219ac9bf1f736e3177851a5709439d8fb5369ed

SHA256
0166a0a74cb2cb7fb23a1dd85b49dca6a713d9c7a783c551ecd71d7ad5cb44ea

SHA512
67e30d01c1978b32087106bed470191a8a17bed39e3db4c3c3c5860320dd50b3b09ca42b13ff56c70c96fe9d10dd087e4a516bd9668751ab8b5b33ec24bc6d2e

Download Submit
C:\Users\Admin\Downloads\kYIe.exe

Filesize
319KB

MD5
dd891ded1580f9957d4aec1882b3bd47

SHA1
bb768a8e1f037544e0e663779dd40c6359a1df18

SHA256
b6000409fef002ab019cad5c5fa25ea3570336b844a8230f6e52ea70296e8ad1

SHA512
efa08eb0c5473cca758904f2d7b4012d0fa7daa1a99d1ec84c15c7ea2e2a8d514fa6cf70f930ddeaafc87b84197ffd3fa50407ac4532005d5787f6628b40c367

Download Submit
C:\Users\Admin\Downloads\uQwi.exe

Filesize
218KB

MD5
67f3b4cc68ddb8452739dc1b658e6c39

SHA1
96939abc97d0bb0546b88a28ec2d2872c1bd009a

SHA256
6cb921c6f4155d4453f89b154252c911ab72cd49145bbc486aea87a9d52a7720

SHA512
9197da855b0c9450f8ca00e7779cffd315ab53a2b896aa83aa567f350b297d4033255a17e1588e110abde9085ebc10adf75c7360384107ba1db8f89e78adae75

Download Submit
C:\Users\Admin\Downloads\ysgm.exe

Filesize
767KB

MD5
eb131ee763aace8355f3dd372bc5aa10

SHA1
f630b72c9a82ad3871db7b1b23101c370d4d4ed9

SHA256
a49f4606b427d41487cbf9280b94d49974f42957826e63e98e55845848da8056

SHA512
12f172dd490971036846d04a70bd23652c3026d9c539772e90278c5a51202e2c9ae52684bcb80e4cb90a665b5abadcb15ef8c5695298fc1600bb8f714ac7fb5d

Download Submit
C:\Users\Admin\Downloads\ywwm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Pictures\ApprovePublish.cr2.deria

Filesize
282KB

MD5
4e6d8d81f360988580940f7fc5c22c7f

SHA1
2321a1fc6ea67ab4f08677061eea5248d940d831

SHA256
01ec90d83a42e5e47ffef5844757bebfcaac953ccde4ab3c161c772b64219d44

SHA512
cfd7f8d41dca87c860f1dc8eb21cf07c3872affc4c8e4506a7f07a277b39187c1ec8bbc2c4e38c94c06e0c4de4470cc6448159b6b68a559219f7fee12d234978

Download Submit
\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_bb379132d2c203f7\Amd64\PrintConfig.dll

Filesize
2.8MB

MD5
6b5be6e4a6c66979a89cf78976594722

SHA1
d85f1985b0d50913c04eae6599b3a9835027a58b

SHA256
7e1bb71f3f01ad5016c7fe9d6d2505795cd679c0a2d49f1ea09e4940773c9aad

SHA512
e3a8bef3b81424708d013868ac9fccad7141513b30f73f87f2bae966663fa00aa9ba2a10842df4893813066a58f7fd39786f0df0291f155eff556beb584b5fb9

Download Submit
memory/60-5084-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/60-5069-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/348-4848-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/348-4866-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-4587-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-4731-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-4562-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-4799-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/508-4647-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/596-5156-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/596-5174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-4673-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-4824-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-4805-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-4775-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-4553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/892-4408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/892-4393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/932-4910-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/932-4960-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-4597-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-4621-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1048-4403-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1076-4707-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1252-4723-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1408-4715-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-1257-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/1492-5142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1492-5160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-4749-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-4655-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1904-4639-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-1033-0x00000000003A0000-0x0000000000422000-memory.dmp

Filesize
520KB

Download
memory/2080-5170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2148-4877-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2148-4862-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-5126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-5139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-5073-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-5046-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2492-4442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2492-4474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2600-4613-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2632-1281-0x0000000000540000-0x000000000057C000-memory.dmp

Filesize
240KB

Download
memory/2632-4329-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/2668-4681-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-4500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-4526-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-4783-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2920-4833-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2920-4450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2920-4820-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-5079-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-5106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-5050-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-5016-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3004-4543-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3148-5107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3148-5115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3372-4404-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3380-4605-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-4663-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-4765-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-4791-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3540-4570-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3592-4829-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3592-4815-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3592-4852-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-5179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3912-4578-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4036-4534-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-4741-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-4757-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4112-4364-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4112-5125-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4112-4363-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4112-5446-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4112-4583-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4112-4362-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4112-4366-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-4873-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-4905-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-4484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-4947-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-5025-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-4492-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-4698-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-4896-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-4942-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-4458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-4434-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-4689-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4884-4517-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-4508-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-868-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

Filesize
40KB

Download
memory/5056-866-0x0000000007280000-0x000000000777E000-memory.dmp

Filesize
5.0MB

Download
memory/5056-865-0x0000000006CE0000-0x0000000006D7C000-memory.dmp

Filesize
624KB

Download
memory/5056-867-0x0000000006E20000-0x0000000006EB2000-memory.dmp

Filesize
584KB

Download
memory/5056-864-0x0000000000BF0000-0x0000000000FE4000-memory.dmp

Filesize
4.0MB

Download
memory/5056-869-0x0000000006EC0000-0x0000000006F16000-memory.dmp

Filesize
344KB

Download
memory/5056-872-0x0000000000BF0000-0x0000000000FE4000-memory.dmp

Filesize
4.0MB

Download
memory/5056-863-0x0000000000BF0000-0x0000000000FE4000-memory.dmp

Filesize
4.0MB

Download
memory/5056-844-0x0000000000BF0000-0x0000000000FE4000-memory.dmp

Filesize
4.0MB

Download
memory/5076-4631-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download