hxxps://github[.]com/Endermanch/MalwareDatabase/tree/master/ransomwares

Resubmissions

30/09/2024, 04:43

240930-fcd9xayenq 6

30/09/2024, 04:39

29/09/2024, 07:53

29/09/2024, 07:47

28/09/2024, 19:59

Analysis

max time kernel
205s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	pqcEMYYg.exe

Executes dropped EXE 64 IoCs

pid	Process
5008	pqcEMYYg.exe
4560	ssgAwsEs.exe
2652	[email protected]
3464	[email protected]
3852	[email protected]
852	[email protected]
2668	[email protected]
3652	[email protected]
5080	[email protected]
4772	[email protected]
3024	[email protected]
1608	[email protected]
5112	[email protected]
4020	[email protected]
4252	[email protected]
2604	[email protected]
1972	[email protected]
4692	[email protected]
636	[email protected]
4652	[email protected]
3084	[email protected]
3416	[email protected]
2120	[email protected]
2704	[email protected]
1520	[email protected]
1120	[email protected]
4976	[email protected]
4144	[email protected]
1564	[email protected]
2180	[email protected]
4868	[email protected]
3208	[email protected]
4484	[email protected]
1120	[email protected]
1912	[email protected]
2652	[email protected]
3020	[email protected]
1396	[email protected]
3528	[email protected]
4960	[email protected]
1944	[email protected]
624	[email protected]
692	[email protected]
2008	[email protected]
4732	[email protected]
3676	[email protected]
4652	[email protected]
1400	[email protected]
532	[email protected]
4976	[email protected]
1260	[email protected]
5052	[email protected]
4516	[email protected]
404	[email protected]
1972	[email protected]
1660	[email protected]
2324	[email protected]
4516	[email protected]
1472	[email protected]
3688	[email protected]
4788	[email protected]
1532	[email protected]
2660	[email protected]
1020	[email protected]

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zccQckwY.exe = "C:\\ProgramData\\yGIoEAQo\\zccQckwY.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqcEMYYg.exe = "C:\\Users\\Admin\\eiIQYwwM\\pqcEMYYg.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ssgAwsEs.exe = "C:\\ProgramData\\dGIwscog\\ssgAwsEs.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqcEMYYg.exe = "C:\\Users\\Admin\\eiIQYwwM\\pqcEMYYg.exe"	pqcEMYYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ssgAwsEs.exe = "C:\\ProgramData\\dGIwscog\\ssgAwsEs.exe"	ssgAwsEs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oigIEsUw.exe = "C:\\Users\\Admin\\deskYwIo\\oigIEsUw.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zccQckwY.exe = "C:\\ProgramData\\yGIoEAQo\\zccQckwY.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oigIEsUw.exe = "C:\\Users\\Admin\\deskYwIo\\oigIEsUw.exe"	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
64	raw.githubusercontent.com
65	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ggUg.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\ggUg.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\cEwU.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\qkQs.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\igQy.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\aUMe.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\aYoc.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\ywEW.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\YMcc.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\QUwy.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\cQsm.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\Qwkm.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\qccm.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\YMQG.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\scUS.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\soIA.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\McAe.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\aIUw.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\qoMs.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\KMcs.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\OggA.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\KMcO.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\cswS.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\kQMg.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\ggUo.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\Yssy.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\UMwy.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\ukQm.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\ooca.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\mYQS.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\OggA.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\UMwy.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\OYkA.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\QAAQ.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\CIYG.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\GIwQ.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\aIsk.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\GEgg.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\SIcy.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\kwsk.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\gUAk.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\gMMu.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\qoMs.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\EoIo.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\SEII.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\QUIk.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\KYEG.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\oEEU.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\ywEW.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\iEsY.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\AsQs.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\ewAI.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\mEoY.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\MAkE.exe	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\gcsS.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\WAQw.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\SEII.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\GUUE.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\ScUW.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\EYUO.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\Ksoq.ico	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\oEEU.exe	pqcEMYYg.exe
File opened for modification	C:\Windows\SysWOW64\esYs.ico	pqcEMYYg.exe
File created	C:\Windows\SysWOW64\WUIE.exe	pqcEMYYg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1508	1884	WerFault.exe	118
2668	624	WerFault.exe	117
404	4920	WerFault.exe	607
2324	4456	WerFault.exe	608

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oigIEsUw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
692	reg.exe
820	reg.exe
5052	reg.exe
3464	reg.exe
3820	reg.exe
3656	reg.exe
3676	reg.exe
1868	reg.exe
852	reg.exe
1776	reg.exe
220	Process not Found
1396	Process not Found
404	Process not Found
3404	reg.exe
3500	reg.exe
1472	reg.exe
3552	reg.exe
2756	reg.exe
3908	reg.exe
4668	reg.exe
3324	reg.exe
412	Process not Found
1932	reg.exe
376	reg.exe
4132	Process not Found
2996	Process not Found
4920	reg.exe
2568	reg.exe
3928	reg.exe
412	reg.exe
3124	Process not Found
5048	reg.exe
4944	reg.exe
372	reg.exe
4960	reg.exe
5032	reg.exe
3416	reg.exe
4772	reg.exe
3036	reg.exe
976	Process not Found
2996	reg.exe
3136	reg.exe
180	reg.exe
4884	reg.exe
2756	Process not Found
916	Process not Found
816	reg.exe
4372	reg.exe
2120	reg.exe
2596	reg.exe
4296	reg.exe
100	Process not Found
4652	reg.exe
3404	reg.exe
1972	Process not Found
4400	Process not Found
4940	Process not Found
3948	reg.exe
796	reg.exe
4788	reg.exe
3680	reg.exe
2328	reg.exe
1276	Process not Found
936	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4280	msedge.exe
4280	msedge.exe
840	msedge.exe
840	msedge.exe
3328	identity_helper.exe
3328	identity_helper.exe
4452	msedge.exe
4452	msedge.exe
1384	[email protected]
1384	[email protected]
1384	[email protected]
1384	[email protected]
1400	[email protected]
1400	[email protected]
1400	[email protected]
1400	[email protected]
2652	[email protected]
2652	[email protected]
2652	[email protected]
2652	[email protected]
3464	[email protected]
3464	[email protected]
3464	[email protected]
3464	[email protected]
3852	[email protected]
3852	[email protected]
3852	[email protected]
3852	[email protected]
852	[email protected]
852	[email protected]
852	[email protected]
852	[email protected]
2668	[email protected]
2668	[email protected]
2668	[email protected]
2668	[email protected]
3652	[email protected]
3652	[email protected]
3652	[email protected]
3652	[email protected]
5080	[email protected]
5080	[email protected]
5080	[email protected]
5080	[email protected]
4772	[email protected]
4772	[email protected]
4772	[email protected]
4772	[email protected]
3024	[email protected]
3024	[email protected]
3024	[email protected]
3024	[email protected]
1608	[email protected]
1608	[email protected]
1608	[email protected]
1608	[email protected]
5112	[email protected]
5112	[email protected]
5112	[email protected]
5112	[email protected]
4020	[email protected]
4020	[email protected]
4020	[email protected]
4020	[email protected]

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5008	pqcEMYYg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe
5008	pqcEMYYg.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe
840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1196	840	msedge.exe	82
PID 840 wrote to memory of 1196	840	msedge.exe	82
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4908	840	msedge.exe	83
PID 840 wrote to memory of 4280	840	msedge.exe	84
PID 840 wrote to memory of 4280	840	msedge.exe	84
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85
PID 840 wrote to memory of 3400	840	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8650446f8,0x7ff865044708,0x7ff865044718
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1304 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16587842083670665155,6994821630734161368,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
PID:4960
- C:\Users\Admin\deskYwIo\oigIEsUw.exe
  "C:\Users\Admin\deskYwIo\oigIEsUw.exe"
  2⤵
  PID:624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 228
    3⤵
    - Program crash
    PID:2668
- C:\ProgramData\yGIoEAQo\zccQckwY.exe
  "C:\ProgramData\yGIoEAQo\zccQckwY.exe"
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 224
    3⤵
    - Program crash
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
  2⤵
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
    C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1384
  - - C:\Users\Admin\eiIQYwwM\pqcEMYYg.exe
      "C:\Users\Admin\eiIQYwwM\pqcEMYYg.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:5008
  - - C:\ProgramData\dGIwscog\ssgAwsEs.exe
      "C:\ProgramData\dGIwscog\ssgAwsEs.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        6⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        8⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        10⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        12⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        14⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        16⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        18⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        20⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        22⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        24⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        26⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        28⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        30⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        31⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        32⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        33⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        34⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        35⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        36⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        37⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        38⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        39⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        40⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        41⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        42⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        43⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        45⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        46⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        47⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        48⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        49⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        50⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        51⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        52⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        53⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        54⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        55⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        56⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        57⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        58⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        59⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        60⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        61⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        62⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        63⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        64⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        65⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        66⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        67⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        68⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        69⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        70⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        71⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        72⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        73⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        74⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        75⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        76⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        77⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        78⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        79⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        80⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        81⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\deskYwIo\oigIEsUw.exe
        
        "C:\Users\Admin\deskYwIo\oigIEsUw.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 224
        83⤵
        Program crash
        
        PID:404
        
        C:\ProgramData\yGIoEAQo\zccQckwY.exe
        
        "C:\ProgramData\yGIoEAQo\zccQckwY.exe"
        82⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 224
        83⤵
        Program crash
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        82⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        83⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        84⤵
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        85⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        86⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        87⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        88⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        89⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        90⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        91⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        92⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        93⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        94⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        95⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        96⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        97⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        98⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        99⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        100⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        101⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        102⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        103⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        104⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        105⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        106⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        107⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        108⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        109⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        110⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        111⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        112⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        113⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        114⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        115⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        116⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        117⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        118⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        119⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        120⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        121⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        122⤵
        
        PID:2604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        123⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        124⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        125⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        126⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        127⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        128⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        129⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        130⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        131⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        132⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        133⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        134⤵
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        135⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        136⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        137⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        138⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        139⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        140⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        141⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        142⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        143⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        144⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        145⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        146⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        147⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        148⤵
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        150⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        151⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        153⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        154⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        155⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        156⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        157⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        158⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        159⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        160⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        161⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        162⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        163⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        164⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        165⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        166⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        167⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        168⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        169⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        170⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        171⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        172⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        173⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        174⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        175⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        176⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        177⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        178⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        180⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        181⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        182⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        183⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        184⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        185⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        186⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        187⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        188⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        189⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        190⤵
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        191⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        192⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        193⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        195⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        196⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        197⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        198⤵
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        199⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        200⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        201⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        202⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        203⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        204⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        205⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        206⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        207⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        208⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        209⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        210⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        212⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        213⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        214⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        216⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        217⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        218⤵
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        220⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        221⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        222⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        223⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        224⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        225⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        226⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        227⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        228⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        229⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        230⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        231⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        232⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        233⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        234⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        235⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        236⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        237⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        238⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        239⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        240⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        241⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        242⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        243⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        244⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        245⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        246⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        247⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"
        248⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom
        249⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaYQkkUc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        246⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuAMcswU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        244⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUogAosQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        242⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoosMcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        240⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmEwAUQw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        238⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiMosYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        236⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiUIgwcM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        234⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmUUsIIc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        232⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQsEAsAk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        230⤵
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYwkcAwY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        228⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FisIkcgw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daowIIsE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        224⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOoskUEE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmcYsckk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        220⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQAUsUgU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        218⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuIAYcAU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        216⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIMAgsMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        214⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REMIwUkE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        212⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgMsAgQs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        210⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWwwUoQg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        208⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSkcwAUw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        206⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIcsoEIg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        204⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies registry key
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwkgUgIk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        202⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgAQIgo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        200⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCQIUYoE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        198⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEMEUEMY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        196⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOoYAYsU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        194⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsoogkME.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        192⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkAIYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        190⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCsAYwEk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        188⤵
        
        PID:788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAccoIko.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        186⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYQwAgAM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        184⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owQAsswA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        182⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsEgYosE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        180⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgIgswIw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        178⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsEgUAcE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        176⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwgEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        174⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgwYYwkE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWwgIAAo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        170⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OskcgcIs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        168⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYsogQUE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        166⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWMcwoEU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        164⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeQQgUgs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        162⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEYgAIo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        160⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiEIQgow.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        158⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msUUUccE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        156⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uekMIAgg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        154⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYYYQkwk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        152⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmUUAIgA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        150⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYwYosoo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        148⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAQYssMg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        146⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEMwMQEY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        144⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oosssogw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        142⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSgUEwEk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        140⤵
        
        PID:1524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMAQcQoA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        138⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hccsQcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        136⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKggAkEU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        134⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymYsgQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        132⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCkMMQMk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        130⤵
        
        PID:1532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DykUoYAA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        128⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqoYUwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        126⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSUwAAsU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        124⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OygEkgQY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        122⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IagosckY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        120⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgEIAgIg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        118⤵
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JicogcQc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        116⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsgkQwwk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twoIMcYk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        112⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmcckAAM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        110⤵
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gakcMQgs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        108⤵
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGYMMQAo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        106⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcMsYQo.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        104⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyIEkoow.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        102⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neQYAYkg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        100⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkEoUMkc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        98⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOQkAAEA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOMcwoYY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        94⤵
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMoUAooM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        92⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FawMkosw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        90⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rocAQwoY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        88⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCIkYMoY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        86⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaYwAQIw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        84⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOQEwEoY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        82⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muQwooYY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        80⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWQAosYI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        78⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQgAQMQE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        76⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKUUMwMY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYAQYEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        72⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEIIgYMA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        70⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyMwoQcI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        68⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaYgYkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        66⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeksEEkc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        64⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsQggwQk.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        62⤵
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMMMIQAI.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        60⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haYckwUw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        58⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqsoQUsc.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        56⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCAkAosY.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        54⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQAIsMUU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        52⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOQAEQQM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        50⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bekkYogE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        48⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmwsgQco.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        46⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqMQYwEM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        44⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMwwEsAM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        42⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMYYUQgA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        40⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WokQkcAA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        38⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcEYIgMw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        36⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEsEgUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        34⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMoQwYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCcMQgUs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        30⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIwwwYgA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        28⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoIssIcE.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        26⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGIEgUEs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        24⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dakIIMco.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        22⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkIUQUoA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        20⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwwwckMs.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        18⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgwAEosg.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        16⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwockUgU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        14⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uscsIAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        12⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGQgYkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        10⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIskMwgA.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1944
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3208
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1852
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQwwQkwM.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
        6⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:32
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGAQkosw.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
      4⤵
      PID:2008
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3208
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uskUYcUU.bat" "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]""
  2⤵
  PID:1020
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1884 -ip 1884
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 624 -ip 624
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4920 -ip 4920
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4456 -ip 4456
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dGIwscog\ssgAwsEs.exe

Filesize
190KB

MD5
ee6a5bdf7fe0dba198c655152a82bd05

SHA1
ea5ec472ef31df51e04a035ced68bb31a85034c0

SHA256
3414421d020d0025d44ed3afe1983fa5e4417131825006498cb30dbf6a5018d5

SHA512
0443982d27ef6fb419d1eea439b5ba8e245aea5b8f8674ca433b0bd24452149323bff0a235f69524ccaf7a0015b30c26bb93dd7aa4d138b75f78778adaf916a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\128.png.exe

Filesize
203KB

MD5
d1da6c56354ae31c824d1edb5d9b3948

SHA1
ce737515d530bb640b3ef57a11d9fc9a6222f7da

SHA256
98f8cab3458ec9f4f0d26c1de3c891efe8659977e716750a37dbd1b47cdbf852

SHA512
34df7881782b4fac7897d07f25f5286913a04b823d504d6304642551eeafcd40753fb0e8213ed045c20b31925e0b6ddb73bd19078aad21b123ffde3ed573a27a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
195KB

MD5
5a452a0e30fe2e74d60683a50aaaea71

SHA1
c2c8c93471258001ee1eabb15f073147cfdef57a

SHA256
da1f2d4f3423148cc91ff475eb0f82814a1e3d1e7b54517955ef2ad948c6fb6d

SHA512
5478c3a8540efd2b79622e502a69a0684a7d802735c9d88c60ade3e2e45cd241efe9547322f44333d6f6aa81516d0ef9b5a50b2258482d5f0174668df2267dd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
186KB

MD5
3a5690f0be269557044009c30a6ffd5f

SHA1
8693665da8b0ec839911fab2e8bf50268b0e6dbd

SHA256
64d9d35a54b6f354a15bc78f58454f946f31d7a79373d95b00393ca0f6f1d759

SHA512
de1406a2c2bc4f2764c93a08819bdccdf3f528824d26284edad096a8ba9ee11f2ee38e3e894336eb15a98fb7f4e20705032b074009b626f25fbd56bf955d7df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
201KB

MD5
750fc29acddb98a1fa82cc8506f923b8

SHA1
daa7401032bff00fb62a31c7f5aaadfb5a6dcc73

SHA256
56008f08df2e5ecb54372d9566f51a01a0644709daeb934bd8081146e6c7bb0a

SHA512
5918f23a1ac69790effd38d7a18c7668be6219a25acef1b55a022a1feb0d69d612d73736e1a66757e5f462aa686b54ca2ace4690e587396c881fc3706c09b1c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
191KB

MD5
7966f119292b860846b60231ce03ffe2

SHA1
c2a4fd26268f4136cbc07e1118e81f3d5c612f73

SHA256
df5e4e45b2dd1b9c2f830d6f731614bd02dd2ffa084aae76a0494fccea908497

SHA512
dc5d9a424ebaff1f0e262a12c9c192e98912c9468d1e37a27049fb0c4263cb6f8dd76f87bb84a551bc955d6656e4c2004cc61ca7ae121ad1a9f4392645f8a107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
183KB

MD5
f592884b605030675a9ce72abf43ea3c

SHA1
0130780169dc9eb6cb17a274e24febc7c246d50f

SHA256
15d71eade23187848a5c9662ce43cea5333237c64e34bbd96378ead6a9dcf0bc

SHA512
8e3361e67040920a514022c4d5a336be76c0041577b48cbdf566443183e21f743a06dad5f46ec846f983d8a3fd315d6e44f59476b6392a62000e7cbb2c4e77ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f95ad0c7c9479fb201751bd0fae4953b

SHA1
f9cd404d5b95ade478c289f853a402dec235760b

SHA256
a9e406758a9019b1b5a40f7de8b9febbb77320223518961770cb86b35fa307d6

SHA512
0d068e92d3753c0906534692a0bea5642f0ed7bc6832e0860c97725517994872354d0307441a4dbf8b58ea509b1f3a86ebdb190f227bd11a362a568ad10131ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e0e604b7b18b541d101b6def1f4eadbd

SHA1
bb4622b200b53af3021d8a80505bd43ec723f188

SHA256
d5a4351033792d5f2828fdf1a1e680b7c827469970aefae652ad44e42e6af82c

SHA512
5b13ee2061e09e8157c47138558424bea12c4ba0fea4c994cef47b77bba67d5b4becd158182f34a360dd18ee22466f90b65267d6d43949c109d0cdece5ce8ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3482f97a5a83455f0e3296fc031833cc

SHA1
e4222f5b8735f3a74b0a94354ded0f30186fb64f

SHA256
ecaa3449a6f55ba43153ef4aed08d2adefba87ecd77c669c402c624b95cd4f4e

SHA512
d437f5b0b13710ab1cf3582e38571c37e284dcb803d2fe0d24282551347a58aad9b4bb61457f51984774290971e919169367d295725a7db747f1932d32e9ef08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a76e3a746406849c5325bfe1b2f7a6e

SHA1
61cba0b2d951d607d2a565d71683b9177bfa22a6

SHA256
3a0db123bddfc9270df02a8902d3d7d5b2ce5696c3786d38a80acb6c4d1ff8cd

SHA512
de3308482cd240ea702f58716cc6c38c2bb2bc00757f14ef8e185339ceff35146da0a7a8e62d3ee3bbe1f2a37bcaf3e5fbf93b81e74d8cfaaf637c3204820d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
acba703cbe77949635f2365adbc8bd23

SHA1
9b893f4173f7e005f287e239f441b5d994035168

SHA256
c6b1e0b7cd71faab0dcbd04148a0f6da97e05bc890a01dd3c148de9a1032d639

SHA512
ebfabfc964287a3c402b91d49c0cffebf10196f56ad5b0aa5f1ab20432b8e66583d341030e27172d7bf9a99bb0c75f4c903eda83e4a86a9bfb51ba518af166e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5514cfeb29895e290bee8b321af95b7

SHA1
5caceca84339f9d4141436a04d2ae5997021e3b7

SHA256
5390eeab4009fb2607066fd22d49b1e3823c65748d06e982957ce62ffd761571

SHA512
b76e6a3fca061bad425597cf3d8cd90f5821bd32685f71600b02729ca1627ea7a96dc41eb080e46440c5c441ee5cc32f6b1829bf944b1d81fecb0e292ea8792d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc44c955eb828a0bdb5a9b40149aed04

SHA1
60bd0bc36b71b808f396abf1f643fd6114c969c6

SHA256
3dfeba3c904a9a98fb6674f25b4a511742c6212781b1a43d087b846c0c17ff32

SHA512
c864f30d56729b27de536f83e37764b96d67e624c207d910c1ca817f201babd6593fd8a04ad2f98fe94b0e6a772b6777b3e52bc7f81bd214b856d9704e0504f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dbc8e266abe1b93d980b405e7a0faee3

SHA1
66d0931ca9940662e0c29bc18a1cd2fd2f84b563

SHA256
69911f5d1cffce499749974b69e2dbdf3317510016da0682302821fa4e349d26

SHA512
0599fe3957dac15c453ad38decb7f1bdbfc63886dc0cca2d8b86245ffe0ab806be482638e1bf24a66cd72fb9aa756adadbda1eeae52a9cad8ff297417e537fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9f0586a90bc42ef3adc23f805958ef2

SHA1
ee22c791584eff658caf942f1278088dae87abfb

SHA256
3207f44f025d947eb79d7fefffa34cadeec3dcb6b7a1583d898cc543d865ff4b

SHA512
c6f3e24253b6d36592a3ea6a01cad1933797648dae34450ead7190822650f6eacb366e206d294ead2783c80d43fd0664913f1207acf4acb18ae5ef028030eba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5962893c491a9517c5044a604832adc3

SHA1
99791591a3bfae8c3f21adc29c67b7a3f8084451

SHA256
d245a4108d79563724e795cba235fd81dee4f59ab40cefa6633b44726c5f839a

SHA512
37dcda65775a190284c79bd11beee9ec53fbcd63e66335bc7af400cdd4f19a4693b355f636e2c07189e6064f0d2160f1dc57a39e59fed6ebc56a88827b165e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13669a5b713f24d4e40d8308530fc9a0

SHA1
4aba4495b7fec635796bc505e4d9d062dbddcfb8

SHA256
8ccecfdeb97f8bd14bfe0b464e7562a4b9a57cb766035340b31f7fe6f9b56c9c

SHA512
26a45164c59fb2724969ca16d76325a5b6e0bb87e00cfee89f2cf23e3fcc57d312a2158208c51f76658bb532dff86f4e46cf8fc8419934c41d7173f24f9684fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed3fcb10d68f777557e2507d4aee6aa9

SHA1
caa3bcc8947f9c0a499755ddb387d8369913f486

SHA256
08957cd5890d4698b9da6357485ccfd3d7fbcc04511a0b9c41c7368e9a7c4cf4

SHA512
8a50c34634abbfbd34d7c70e6b5564214ed2b45b814c0a728e871dda103d86866a1d75f501fbdc1d137a095ec8c7bc49bae46198cc7e9ad16e001fa2f2e72bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e57e.TMP

Filesize
874B

MD5
09d7412ca6f4019f0023d470a43a3035

SHA1
d148eebac4e5cfc937e727dc83cfa7cfe0d750c6

SHA256
8aebc2b6157c68e60cc584ebcc5cf64c3c7d1975144b9f5a17cb677eafa35381

SHA512
dff4405d013735524277e9073451ca8e7489aa38024dc77d013a36a726234ad5dcaf965533033eeb2d6e0a2dac076baed7da8386aa1a6441b4035348b1667449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fe038baf-fdbe-4ca5-9120-36e08475e957.tmp

Filesize
6KB

MD5
4d2f063f6cdfe653293c80216bb0afe3

SHA1
8f57bc72c1f1087149000bceca282e0dba7532cd

SHA256
ce4bd2fed1633c0113d37501f45912e5ee9fe072630c8a28fee4cd228d7a5f04

SHA512
c43952d5376eb85428577c54248820a77e6a1d25066cefe7659fee9c275db1713be2ee12c010a6886eeb33cc0c01173eaeaef5501e84af3ea6eac551d9b485be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fbe9297d0dd4311bc762b1801867e51e

SHA1
29d9f66c09862d138e7e7885efdb5f1d20dfe27a

SHA256
432975fa133670d55f9cbbed0f20f6011981aba7078d86c35eab5f878514167d

SHA512
b2a87c8732769da5591fe17ff80f5efca48cb2becd8ef151f80843ae20e8a16ada7a7561acd66101e4bfa17faad5f02ac89d0b06c16617e8395336d6d6536429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f533f3495da71fd0aea20cd56ded418

SHA1
ce2f86c12ca238c64aa3be4b4c8b928d021f0d49

SHA256
8d3ff7022c22740719b931f640b81a9de55186acff945793b6cfcc59fd7a4dae

SHA512
e20458c8469e9f382dc418d7178bcad983dbc3658902ca45e5f0f6a77a0dad6554afd18633ee09d5c0501b4da53bc0c0daf42e29ae5f3e2c094e6b6c0d3081b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
207KB

MD5
0b45f01b14d1aa76fdf0b1aeb349447a

SHA1
9a8a58fb512130cdd896cad1e8061d760570e4a0

SHA256
8acbdd51d50c30b1dfb98aa06fb1e2fa07ee1616ff498e30daf51bdc9fec8b98

SHA512
4eb400c6e6dae92c862eee10f0bfac78ada9e2d22752b9a5998c6deba27c8621b1573525b7b12c1ba5cb0224662ed44c0e133d6bec9047ccff82cdba228b38f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
181KB

MD5
c06d71c9dcb2e74bc0194629b87e8d48

SHA1
25fc2fb69fbd427bd8d21eba37a645b80eb6e8fc

SHA256
40e8c345179f077d2437c0917a305e25a24d4e747f88b1f769647f37fcfe261d

SHA512
d475e59d07ebf3d217d07781fc30d25704892d7c7fab1409c8ddc7684d21dce5f79525c551938c0ab86c29acfd58d107c0d7df1da523b61d9648dac805fc39e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGAQkosw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.zip

Filesize
33KB

MD5
5569bfe4f06724dd750c2a4690b79ba0

SHA1
05414c7d5dacf43370ab451d28d4ac27bdcabf22

SHA256
cfa4daab47e6eb546323d4c976261aefba3947b4cce1a655dde9d9d6d725b527

SHA512
775bd600625dc5d293cfebb208d7dc9b506b08dd0da22124a7a69fb435756c2a309cbd3d813fc78543fd9bae7e9b286a5bd83a956859c05f5656daa96fcc2165

Download Submit
C:\Users\Admin\Downloads\PolyRansom.zip

Filesize
130KB

MD5
7a5ab2552c085f01a4d3c5f9d7718b99

SHA1
e148ca4cce695c19585b7815936f8e05be22eb77

SHA256
ed8d4bb55444595fabb8172ee24fa2707ab401324f6f4d6b30a3cf04a51212d4

SHA512
33a0fe5830e669d9fafbc6dbe1c8d1bd13730552fba5798530eeb652bb37dcbc614555187e2cfd055f3520e5265fc4b1409de88dccd4ba9fe1e12d3c793ef632

Download Submit
C:\Users\Admin\eiIQYwwM\pqcEMYYg.exe

Filesize
199KB

MD5
a2f27f62825722b85d489699a51d5c25

SHA1
5ea2dad76dfdd1bc34786ff39a7c3189faa12338

SHA256
8bf73d5d2cc65fcf0817c72e776fe473eb7f06e091cd77e119f27eac528f2c51

SHA512
e37659a24afff207de7ed2ce35b707778679b9ae8f37eac03c630b6a387e0e46fbb14a6e1a2797790193581e617663922a8b2db2b1b94621f748740c4f85a809

Download Submit
C:\Windows\SysWOW64\AEcS.exe

Filesize
232KB

MD5
636a93294d2a0264eb526bc62c12f972

SHA1
2a32085cb02d908d557da8ee7d2805c529a4bce1

SHA256
ac670d1d0d29958a8834f9063e1761c2eff828b61e79cb167ab1fc132be46e8e

SHA512
07d69cf650d5ce89a969135b8ceb27da479e7cef84c1ed0dfd85872feb4a45e61f9b495c2a5d9432211d14a4cdf472c726212108c4b5e2285e5d8e2c0b10272b

Download Submit
C:\Windows\SysWOW64\AgQu.exe

Filesize
207KB

MD5
262675f8c88efc2fabfe16c4be8eeba5

SHA1
d6956b55170df23c80b822a87ba245c78706c5d1

SHA256
fe969c3df048e26061e005dee5810b5eba375d8217242deba59cfbf61aef56c0

SHA512
2e9065266ca84892a4cb55bd4137fc3443e5f946c2609cc18620a59346be1604ad54acdea47f9a5e85db5e2eb195376d1a5c3bb476c267823d958f17a8130254

Download Submit
C:\Windows\SysWOW64\AsQs.exe

Filesize
185KB

MD5
e5caf19efdb88903531f6c80f09bd7e3

SHA1
822c2c0a109978194c505d69d4d882681103417c

SHA256
4daac0bf482b9ff97cadc469289bdf7dfd2cbf24b18eaa28b83d49408dbf6375

SHA512
cf479ba435b2ac696b56fe4172539bd382a6a64b6f8c86c6ed91b8762581c689136dad75c2680f5d94e0e7a84bf164870e3703f5178052db06d343c2c7767f2f

Download Submit
C:\Windows\SysWOW64\CIYG.exe

Filesize
221KB

MD5
a27d90445ca464929e7196aa3836194d

SHA1
6beae34152f6ea5f6a83f71afe78f13667c0c017

SHA256
f3f697fd670c2eb2e0bfc098e9b5edd7195d919f26670f4e5b9f1d0a83f300db

SHA512
f8c70b883be6cc932d0c79792ffebddc8e9b5e461f05cabad98d3b6933d64c8799a2d58740a40fdc1aed3dd4a97858d0960a7eb49f7ce68ed571d68574fcf66d

Download Submit
C:\Windows\SysWOW64\CgMy.exe

Filesize
207KB

MD5
e60487e0848ab94e9c3b819e14c97ee8

SHA1
44314035e4a1c58c03ca0c44ad6bdc748c88d3a5

SHA256
aca52d0fef0a0b303842d94df163de0699a5c502ee71a5435f3a89931a852b26

SHA512
5dafea85bde0476e3999162843b03807b9ddcfe443349ef5ecf4f6ad45c08914cf8c68a05986d71ad5120b4be0d8c77e9d7d7d10e044f8ea1c38765f7bd348c8

Download Submit
C:\Windows\SysWOW64\CwwG.exe

Filesize
213KB

MD5
4f9a30f1ee47352a8c0a42be0a466417

SHA1
2875419fd209bb01b0d52e10e4f14fcf1fbe67dd

SHA256
935d51758c6e0dcc0591f877b773809572d7944daa20ce91163b6e51ae803870

SHA512
b33d6e3a409414968a73e62e5871c7e26f1896033dc1c82a0baa95aeec86aa8279ee8d8baf29925a080cbde8248d61455898dd3787ba4fe3e1597e865ec4b016

Download Submit
C:\Windows\SysWOW64\EQMo.exe

Filesize
316KB

MD5
bd5ef3efe6580fe34c7c5054da31b1e2

SHA1
bad3ada44a4cca7cda64fe062acf86f143cab977

SHA256
25bb93fd75f5c7cd81984811d7e7d2180f2421929fac5366c4e0306cceef74f0

SHA512
83fb84497c10a1dcd47c8878bf956dd1be414eca9910f8c1cdf0e3b72bb19755901223ae7b8368f6c8b05cd83a026c4c45adebb272490b3e9a58a3d405d7f8fb

Download Submit
C:\Windows\SysWOW64\EgEi.exe

Filesize
204KB

MD5
94207d897561993f68ee2f8e995f0e8c

SHA1
7868626c179bff69ed2b0fcf5fe585555cd2991c

SHA256
9a8e6c4c0c5b0e933361a3f95594e3ce2c4431e5225aedfc2eaf1d76b8317e57

SHA512
5c37d4b3057616c3f901e842fcae8e405d24bb01aced11224c91009c6f8f345a796ffe6dbf71bb54df1982c66da38931b24a183ed4c103bc44bb79a0e7852c70

Download Submit
C:\Windows\SysWOW64\EkkA.exe

Filesize
208KB

MD5
d803b0285d24a6f2525365d12f6d45c8

SHA1
52eb792aa2f2370b9bdd3d917f4f85e4ad616433

SHA256
deb459664247ad117aca00a14bffe74308305ba352398239b9ff89f45b7f35fe

SHA512
92583f0f5fb8ea1b4f3a084ea7ce86e7d65c4b714f5d256fa695e59aff5fb18237ae37c8c143903cc2bde36fb6e6f9b914c1e10b80e4362114cf97d235620a3b

Download Submit
C:\Windows\SysWOW64\GEgg.exe

Filesize
657KB

MD5
9ac68a2c768b3e550b315e4c2243db52

SHA1
7a08a090f6e9dfd7e1c1e1222b176bd5126c5362

SHA256
f6df1461522699776a1551409128ec0709968563daf19ea91656afb4d4f332af

SHA512
5d651e2c03cff34025ae7683733a170f7cdf7db614a0c6d57057f8a9de9313b4a8802c8c522fd586a0f4549c36d77126b277c0a7aac007b3e8b215b4c62da37d

Download Submit
C:\Windows\SysWOW64\GIkW.exe

Filesize
181KB

MD5
edaf12a87fd23f536703104ac2c428db

SHA1
1091ea29704cdc38c571297dcbfaf53fbccf90da

SHA256
1a9ea1e39cf46cfcb23b8471a9c43cbea09005aff253fea7697a3b416547d523

SHA512
6a3a8ca1671e35f73f2dd052af810d883da75d9b41c07765f3dcf4451207697061ce2308614ded425844f70e4cf18a2c4f7b84f46d89a41c5b8217f572519efa

Download Submit
C:\Windows\SysWOW64\GIwQ.exe

Filesize
205KB

MD5
eece504b62234052b86a2cb112f3a67f

SHA1
399c77e80fef0941a33c7247180070263fa793b5

SHA256
001adfe2c87dc1e28376fb8fb41c36ce0e976f86af3f0d8eac11a91de2cd00a9

SHA512
c077a93857fbe0f377c7a121f23d89235a668d83ef827900a5a6ad2604889e9b1a5fe9b634ab46410755fc613bb0142228f86bbfa68c8ba8c0877fd825d35de6

Download Submit
C:\Windows\SysWOW64\GMoS.exe

Filesize
1.5MB

MD5
e47e664a3b51b47e2b0320bf0409b0f9

SHA1
1679cf9468230549b44defb2eb33546f95ab4c87

SHA256
b2a68ce1ef8b105e8959970bfe4acbead8e4bc67fcafb28c53661814bd8419f4

SHA512
93de9ccc378b4905011816031e15f32c595895b395436c832687509ef9cf7ed099d2d62df6c29758d3c342434b386441060d8f10eee793bbfc835753075306ba

Download Submit
C:\Windows\SysWOW64\GUUw.exe

Filesize
1.6MB

MD5
38f06f2328820558bdf26223d3f93e43

SHA1
0b40c035023335817f6ac0f4ec29ae04a650a1dc

SHA256
22b9648765956eac324a129e102cfe21a9bdd055a678ce8dd4961f71ce5b57e1

SHA512
4cb6d39f908a4dabc92f0b1f9037a46f2118e91b687940c5af3d000e097102199216c6b0040aa8b256d4051af00495f7de4935c876f529d3506e272b6951ff70

Download Submit
C:\Windows\SysWOW64\Ggsg.exe

Filesize
185KB

MD5
61d190733177cae4d9eebb17dfe01a92

SHA1
b85a0d79947c50aff824cfba9f3ff7e511f9eb3d

SHA256
fd4728fdfe5074aab138136b8615a8cb89e37cb5883bb386738d41e912698b51

SHA512
34ba66f494a35611f46fee2258a71224088c82fa6f616ba688fa99fefb8d75591d0eadb6cf816eeb5b5188ac4cf7e438e66d0227bf373f9404426d432b3e0275

Download Submit
C:\Windows\SysWOW64\GkUQ.exe

Filesize
202KB

MD5
9e5e4914c2a5623f51fcff06f079e2d6

SHA1
aad9e547749c91fbd899d711d43b6a4d3190c699

SHA256
1dd1f17b1e510d4a8af7f78b16705e66ba009d7048d138508c78f320b4d1cc93

SHA512
0203f37abf964acb4ea1cc5e1ce17c885589ef69e8aa1a333cc86b2023fab4eb788caadcf38b1af6726fd0764093cef9b42fddfcc9f77ac4c6431446845e89c4

Download Submit
C:\Windows\SysWOW64\GosW.exe

Filesize
197KB

MD5
de5b27aa0e863d899217fab6b178da48

SHA1
7c12f262a7a08c4280fa0eb68eb97b671dab7372

SHA256
8f2f57e577ac20d9dde1c7c4b2035e523a850cfd83af2ec074924b829f37d8fd

SHA512
6d77eede58ac90937e687f093f0382cdeeb1d528e30bf22f255915cf63a7adca3b0d2cab60f1cbff921ecaaf3ac9e9bd4b995d3a3e064a0c84513c1ae74bd260

Download Submit
C:\Windows\SysWOW64\GwMa.exe

Filesize
189KB

MD5
15bf411e83b0d9b646648a773ce55952

SHA1
bcca869cb06710802ac59afac0c57e4bee37f39c

SHA256
5d5058adf64f2059927000db193b38e94aada39943f4c01173ec5f79a8e2cab5

SHA512
cea681ec8a2fbf0df52f32c24259221ddfbde7252b31782324db4ce1c01dc8cde8f34fa2f6f9e07e713e49f248c2dc2c044cf2bc61aabdc387eb597b551c6bbf

Download Submit
C:\Windows\SysWOW64\IYwA.exe

Filesize
435KB

MD5
01f8b23a3527fe4b29b34e24e20591ef

SHA1
1d361edb58756e3f9e95bc78e9381d0154e7cf24

SHA256
70fd32c839698138e72c474a319c8e9ecbe1887b15a30dcfaa572e9b4d6ed861

SHA512
78cc3e46207de30af1ab349ca29e8532a116d7ff30bba3a90c2c7f724855e176292247451c4e1f0f3d29a411a1caa25e6c7d222bb246fe91fa08224c3e836672

Download Submit
C:\Windows\SysWOW64\Icwo.exe

Filesize
203KB

MD5
8bfc9a096f8aca8e67ec1ca5dfd31870

SHA1
009635e010db04eccf9da160c043acb4896da46d

SHA256
ee726d11d111142d1b1ef7dec196f368031b4b0021d425363f1678f06d548c41

SHA512
2072b7c09a3f22bf8982e4c2d4775ed35ed888e448342000f4b7b2972322d1b646fdef55cdc014eb06cae9563f210f0a3a82d0214a7c14c9f1b2dd42d2f6796a

Download Submit
C:\Windows\SysWOW64\KAAW.exe

Filesize
362KB

MD5
af66b4580e11c5d9c0708e517d941b8a

SHA1
c2d7c1c757bc301fe5f20fa97df65b37d4843d79

SHA256
cfd417f489b81f9586516a259c4d2e966f78fa8e7c6962a0deb5c2426aad03b3

SHA512
214009eeb82a612c04e231a0f270c62ac0eaf153e5c6368cba5ecc5d9c4d6696bfaa670ea3aa91546adc57da3db5e317c3668c46cb00cffe77f2ff93c000b01d

Download Submit
C:\Windows\SysWOW64\KAIe.exe

Filesize
194KB

MD5
f9dcb32aa5ccbddce9050fddefa3cab3

SHA1
8cfbd4e22a362377d18ba37418ee88a95eadf50c

SHA256
aaf6caf65ea9086cc873be9e0003e4288e645e8f178352594c827f60c4deb105

SHA512
ad47d1292f8beac79ca169dd23c1d9191e14a6754e32191bcfbb7d9910957370b0c5b3525c7f1a0294326c0189d921c418843ae3ab22921d374212bf11ddb2f6

Download Submit
C:\Windows\SysWOW64\KUcg.exe

Filesize
188KB

MD5
fd27c115f42e9b7ee8d9b33e7dec87f7

SHA1
be3794eb1988d7a0d502867c4bf702e49e918910

SHA256
494e8e7c6129ee0ad28aaaf1e41b15140ab146d05797899b6b9ebd0a5c60c939

SHA512
c0c37ed96ac213cd17b0ef0d5c2e6f8d7a5f11c42bbab5f98c9bcf6cf4d2f05723905ef8917b7db9d8fc71cb6b7fdc63a1e6a3e0e57a124311e1e38722cfc964

Download Submit
C:\Windows\SysWOW64\KYMq.exe

Filesize
1.8MB

MD5
963e5f1970174ca834134f358489b256

SHA1
c817f7d4071d252241b5def77babf7bf901595a4

SHA256
eb977193a87927701fee1d1c6cec3e2b2028e3ef391dc3693d0305e4dcd0e3d1

SHA512
217bebddeaac0dfe2df2a0df6683f00d0c6a2d5ddae31efec38813e84554ce4b3efc9e77c06e777b86cc6d00b899c2b0fd8f3ecc775589fbb5b9de2a59934962

Download Submit
C:\Windows\SysWOW64\MAkE.exe

Filesize
268KB

MD5
8997a3e73c3e3f14188213c26af5e2fc

SHA1
a5aeb9dec391a9e7ef2119b6bc6cf35898ae18ef

SHA256
9b8d3d66dca7b42a6b12bf447af1d13b6ebb98482fb08928f24287354e11f696

SHA512
08ac33b617aabb77d6ca30313a4419cb12558acb49c479104955d3ec772c92f54241dabfcdb9bbf213d32706b69df791eebd6ac716eda545a79ac75aadc6d9c3

Download Submit
C:\Windows\SysWOW64\MEYY.exe

Filesize
812KB

MD5
40f31eb4f922524b05b124e3f74d6bf7

SHA1
c1886f7b8a42d21f6fc5e3c4087efa638287c209

SHA256
29360ecc2efef6cd852f3803b81234b7c065d4c5ea1c12091166d287d8056009

SHA512
e9516504c09af0db7c604dff2f9c283064be0073c336b8fb583562b70ba123cb1570b74f9e3799dcf663f624416acd60093e964a2780b697f941b7c902c267bf

Download Submit
C:\Windows\SysWOW64\MMoU.exe

Filesize
364KB

MD5
7b8df7cfc8402aaa1576157d8f9ed796

SHA1
eae5d092d202f89fbc0494fb3adfbcb77f2fc297

SHA256
b514bede0203450f389e71b3557ac9f81a948eeccc2eab2742ab9d648868551b

SHA512
0f4c5c41678df7061eb260427c564de42ecba45fb04172813030024cc56476520d2531beb4dfe13b7ee86bd2e002bee953c8a8fb511faf14be173f8c81b6fc55

Download Submit
C:\Windows\SysWOW64\McAe.exe

Filesize
211KB

MD5
e7054335cef44af2a37439e9838fc721

SHA1
2a1b73644061d60a2e68d2399b95cf91735428d4

SHA256
89ee45f849413ffef2225a5b3173c2ed59c9c31a12afdeeb362bae91a731983d

SHA512
b3e39edad694239d56c9c28ae998d957e0c31175758ed57fede771988941a7e8bb3a132aa4ebfe3693da2540da84eda6e455ffade09097e158de31defb34169c

Download Submit
C:\Windows\SysWOW64\MsMs.exe

Filesize
198KB

MD5
830fbb444f5138ac2e6cbe26a1447db7

SHA1
16c9bfc87da778c43170628db229d36693a25fd4

SHA256
750134626388c093c1a137100e25fdfa7eb2fc0a5815e236c6a617e2b39f3770

SHA512
04c88019e5d42edeccdc8e1de4fbb1adec50cb5ecb8a4b3909706a72b74d97eaa4bb846ba2ae6b32b9a4d6fd5885eb7d78e64676b945e3ae435154bca8c8ac75

Download Submit
C:\Windows\SysWOW64\OAEe.exe

Filesize
230KB

MD5
64bc2b575e609ffa6758ebf1734186ce

SHA1
15db3335c271d40ce98fd3688a217ec362902733

SHA256
9bf57ab4f66d8461c5e8a0993cd46a56580bca7e209d70d027b41e522e68b897

SHA512
81a540698d101a20e3db47c550222c0aaadb0fd5005ad226324793da98b22554a69f1813eaa785d1a40d44fc671e52cb0a640261cdb65bc22dcbec10b1944a60

Download Submit
C:\Windows\SysWOW64\OIUq.exe

Filesize
193KB

MD5
66de963ba7321cad97cb8741077dea59

SHA1
56238955844d2034ba9267f316a56c71dbcdcb4c

SHA256
5c3c6d008bae2cef8217c285ad83ef68abae7dd48dbabfd3c2297ebc9f40ad7f

SHA512
116d7343bcefd6c66b3d785af1086e61de04e4a6b7369703d3f052785d0ad225ae0c72499f4f540c64a8749d856d0ba11e70a65f3428b9a1dd2e7e7caf0bde05

Download Submit
C:\Windows\SysWOW64\OIkK.exe

Filesize
777KB

MD5
534c5d12311d93d9ceca2f9836f9366f

SHA1
5cc4efb0a559bf68d175510cf9f13c465cdffdb9

SHA256
177e33359fbddb7131e6a5d4d70a99d39dc8f6d272ade411a17e63af017aae9e

SHA512
9a72a1ec3c8dfd9ae49f5d8c1d4048f5e7ca50e04ccb2ad07f313945821c959fd20d6f00279dcd7b86595e394af27003b9927656b2379c1cd4936cb692685d27

Download Submit
C:\Windows\SysWOW64\OYIi.exe

Filesize
193KB

MD5
4711e98081da0c46e51025c7ce85491e

SHA1
67ec7626e0c1210eb9750d00d7474944616712a6

SHA256
f2a429b02572e5c91ee399d00c60b1bc6f7284b334add9f7875ed464f93118b5

SHA512
19965ac07962a484e6369cbc490d072e66465f2eedbf69be7e320ddf7e00294ade9b1311e3ba8421b92d70e21c02cc851f0c61bdf91d1d98820d26d50598d96b

Download Submit
C:\Windows\SysWOW64\OYMi.exe

Filesize
201KB

MD5
c2a8fff5dc69f6dfd07f65d1582f1aec

SHA1
9fcd54487987296948c49641a6da36f997a6ee0c

SHA256
cbf0f0cfd1d89b885adfda779222e93d38453be9c7368e0fde511c2f41525dbe

SHA512
7a261f6ed3c5b446287a92ddbf579837b7ee4727a9480167e6abe0b35498618aba6ff046f139a99819b3488c39606afda0630494595533dda83014721a3078e5

Download Submit
C:\Windows\SysWOW64\OgEg.exe

Filesize
182KB

MD5
c255a19ead7489a3f9f7445d2ecaa104

SHA1
6bb7b23e920efd8e0f6b45f86a62206946716107

SHA256
a2cf115f3071e12251a02d8e34533f4e162c3a46590cd2cb2d7139496f6e0e8d

SHA512
8d4c1e04ddbedcc7a27193fe3cd6ea8d17eb6a25220c3d2b8d021ce0ec493af5392db9bce8af3608c71540500f4e10f84afa70a45fc3b3db7b376cea90966900

Download Submit
C:\Windows\SysWOW64\OggA.exe

Filesize
1.2MB

MD5
69d918557db1b2daba191758617f1bc0

SHA1
7eb3dd32b98aadd052918b315950316291717ceb

SHA256
eb2257650255883a1c2b12c34c229d1163cb271d137492ab716ddb9ebd99c114

SHA512
cde03f116f651ad38dfb4ac4735d4cf7f2c77e9e08d6531f39a47a4e460eb56bc4bb992c5e018c2144e93a155b39d318c0d5c7ce48eaf61434e94d9fa1fccf31

Download Submit
C:\Windows\SysWOW64\OkEg.exe

Filesize
200KB

MD5
7e667e1d6fed3e44161e0e111fb05fcc

SHA1
a673683c32935ee9fee2eef92f7d803501e5f1fa

SHA256
6149923d202132bb461f3ddf0957db1458f788a22deb3bacfeef7ac30926a6cb

SHA512
4927cb8776e42a449e354ceb6836979da148d70ab58f5a4caa2185d6ba84ec1f830be8835b6fed1c81c37775690def27bdf0f9d079a7b463e270a6fa5929542e

Download Submit
C:\Windows\SysWOW64\QAAQ.exe

Filesize
196KB

MD5
daa735ea07c9aaabae1611c75f8032ba

SHA1
70729a6783e35052e262357f622ec65e2e3215ad

SHA256
2b27542477fa9476c54167eadd8d83bd31a199d538113e402b12c6bed89f5911

SHA512
c2d3eb3b313531ab919867e3f9e0fda09f4d2e59e1b43229ee1055d52a95ef199c4bc31c52571586c5c1807ffefe20ecce89157b44d51da0a41233b98eb4e9ed

Download Submit
C:\Windows\SysWOW64\QEoe.exe

Filesize
558KB

MD5
fd3fe44c44f55ad95f5932aeecd39c24

SHA1
90ebfef3476d699a4041c197c4135fe1d285a21c

SHA256
0cd4b61c592302c9a4611737999d04cfb1fe5955ea7dee89955bebe91a7ee54b

SHA512
56de7666a25f5d999b3c75c8e02ce0a0c791e54ef903f1ff55faf6951de19f6fb288ba024533dcd3a609df523cc08506b48d0c61f15af7ed72183ace8228ae9d

Download Submit
C:\Windows\SysWOW64\Qosk.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Windows\SysWOW64\Qwkm.exe

Filesize
206KB

MD5
d4845ffaae1b571a3764a381c9830a78

SHA1
c8af11739270ed9000c45ee6b503a81bcad2cce1

SHA256
9171e4853f5c9b9d83cf49e908f1b58b440de7ad3d69764d95700fb3c17f7d4e

SHA512
bc0ff7465c199c774d5acbcfedfcbb80e76f868a3949b26172dc815b57c7cd38890475a1e5c3e93a794bc4de30f4917db34c3a693bf8cc5e2059243c28563ab7

Download Submit
C:\Windows\SysWOW64\SEII.exe

Filesize
199KB

MD5
5b2b80bb8de4a57bc5f287ef80eb869f

SHA1
b809b343d9bd14dde4123d32c4b4fa5003849492

SHA256
cfff4050b20975a04607fe6749a15bc1e8daff900b455b9ac5dce939e145e776

SHA512
d5a2b6f27fcd1e7ca3caf32b84a6faff1e2113bd8591c1c8e7ca9338ed7dfc1a0634d5329a33d894d317bbc774d881216c2c7148f38bc5a6ca7539df09120b45

Download Submit
C:\Windows\SysWOW64\SIcy.exe

Filesize
184KB

MD5
acba3129b74e8221a82049fc9c37944c

SHA1
47721de973ad963b97a7bed0659b0a1bd784f66a

SHA256
4b1db2800c5d0bd6dc1e39383718a1ea1712b3254d125ff812cd5c590daa97b3

SHA512
e9e5a9fae9497560b7f89b2bc43f3e71955f1804ae5c123689a3f9c59a8f4e6f1177134e81813655016e9daf0496c82b5c3e5cf9cd7dae331f9b1a904ebbf188

Download Submit
C:\Windows\SysWOW64\ScUW.exe

Filesize
198KB

MD5
4e864398ddf4a0b56e55d639456e3dca

SHA1
7963bddbfba755bf4a847adb85c4166084b233d7

SHA256
61be22d7f71ae644b760583587ed674bb2974a423471e754259913c283268e32

SHA512
cb3c6634bf3a270633c2be683ebbe68f36c7a88aba1ad579ceaf5bc59925cdfe937ce908092158570570fdb5422810f28dc835d540e35d146b5634e5c61f5324

Download Submit
C:\Windows\SysWOW64\SoAU.exe

Filesize
611KB

MD5
88b6f93e8a3275c47bc828a5878fd884

SHA1
f7faa7f8a1e5d462294cf0e8c5111da12569ba30

SHA256
0d148d84f2b3cd50e3ac48407de8a01a44c2e94cd7ebc85e8b2c51b6d9fb46de

SHA512
03484e83ac87ce5da5cf487565a23d72fd5c3f0df3a976480149fb2fbd217ba4d4e4b9d8edbced536e19ac59008560c154f2ec9a8a324068b8d7992bab37e775

Download Submit
C:\Windows\SysWOW64\UIIo.exe

Filesize
202KB

MD5
0d9d59e294c75f8f20b944608703e796

SHA1
ea8d96429de596ebe799a5c234e7842996e6e607

SHA256
265814c0d892b560f5846822f1aec72ad09ca8dcb8f091425bb92fe0b7c2a8f5

SHA512
618d6008ca5fd420582f1c609e2f297e694f72933c1c6e8f4f5c2056d60b52896d05c4ac780120ae83bcffdf1f5d3e7aed22cbea4843b53888d1c4d190d3f7c4

Download Submit
C:\Windows\SysWOW64\UMwy.exe

Filesize
318KB

MD5
66b68bbcf299586cff0b5f837ec3f768

SHA1
aea84e6825e5903119e14065b17fbd5378484190

SHA256
5351d5ed40fc9a6829798bd1c8f01cef62a2f2d96aa6b1abb13b51f0cfad923b

SHA512
6a691561dac5eb2b6f1676c53e661e70d86603f9a32dbb7e9468f75a1ebbe94ee2977cebdaba1cc99b45c55d91451a0f35b0796dc5e2bf380fae79ce1a788866

Download Submit
C:\Windows\SysWOW64\UYYY.exe

Filesize
440KB

MD5
6a631fe7c169e4d8d96afe98fb70ffcb

SHA1
098663891bed45a8f4b17f2997653236ff85e82d

SHA256
801df90c73ccb3aafb3856d972c4cfed581431ce8398d2db3c6bae21c8e06a88

SHA512
771d2d5a9df52c0cadb28b2d774dc2a104e7a7392c43a575bb350a70be947c0d137e0ee3a2a127e03ca2f1c8b468b12c7c94784dda3c1eda13ddc795e9b1c3fa

Download Submit
C:\Windows\SysWOW64\UsIU.exe

Filesize
202KB

MD5
c49d1b53def7292abdb8fe8ddb0f5eab

SHA1
c916e0cab04bf87b8b8f7511f6171f06b7c65ac1

SHA256
2de37b956c39b50a0758968b9827d4865eecba0c267a2542e25cec42ca79ac5b

SHA512
29b1f5a13841a3ef1164164527aeea33e44f3907d34efab89b4b91e58be20f355924b3e6459935c1b1918258cfa42411114d465391611b4dfe2f4dd9927b4e1b

Download Submit
C:\Windows\SysWOW64\WEss.exe

Filesize
652KB

MD5
36cb9a5c38f4396ad7a37ff58efb0db6

SHA1
bfad118c72818a909b209d3a5cc3822f1ee1a51d

SHA256
08d510528d16787748a9f4f1b8216d6bde3d2167635dc40a11890f4052549315

SHA512
0bd85933c4103375ea4115b35a513e12cce3242d03ef18d4364f01a514b8c2c4a893358ca6cb77e1b93c7428126a8f772e034e10e39dfdb2decce0567450ffa5

Download Submit
C:\Windows\SysWOW64\WQcc.exe

Filesize
1023KB

MD5
b9af1044af4571536642651eaced839d

SHA1
e836bdc770b51da4f90ade513ca74ef0eac01a28

SHA256
05bbb8bd23016510e8dea9b8543fd7bf1a719ad3223ef30b13d625883b3aa5e6

SHA512
f95a0aadcdd46c8eec694d78df6b413d92b8286766140b3cc3c2e17d292f3cc10f892168de8ee3c2d23cb6ff2b50139fcd035a23a50dbf4f33099e11e2fbfc07

Download Submit
C:\Windows\SysWOW64\WUIE.exe

Filesize
197KB

MD5
f5ad9f452ed3f002f7c52c03b7780ffd

SHA1
6b11e5ec54f2109d76304b3c847b3c02495c9eec

SHA256
8e04d66974313450fb1a4d971495166da0a36eb206fc3d93751f1c3504191670

SHA512
072540bd514942f640d274c1f6167e435c10659b6a20a6361124430c66dbdd9a80445ae1969789d9d16e421a4040fe581bba1b52b4ed1d877c2a02a1d310d327

Download Submit
C:\Windows\SysWOW64\WUcK.exe

Filesize
189KB

MD5
c3bcd3d98ef45db0a2102711a31f6273

SHA1
d7df5e00f0c8e1bea52ec84c2d006fa6bf5e76ef

SHA256
c3948798e35b781f2641e3e674741691b75bbb9daca955ac3f107dd9d3dd25bb

SHA512
2467cc5539a577f07ea4fa2fbce8d85f780624b6124f8505034717a6524574524d0315a5c67f2cc4701206a1bed8f17ddec2a8a84ce5c1b72d2c8e4fdf46e39f

Download Submit
C:\Windows\SysWOW64\Wsge.exe

Filesize
561KB

MD5
1da6253c8e2e1afbf03cee0fd684bc96

SHA1
744b4cfd5e534a011835e7643c188ae3afb2698e

SHA256
e42f775a9137025329acf002a4ad0daf1a90e0e205c05457770f98a1d8c2abae

SHA512
4e59436941e35eb3d888fd490dd59bac4c291096291074b7186de210978c2c1c831edb50bd471e5ef4e78d294cb6d3244112bce3e30c0b13bba862e9821181ad

Download Submit
C:\Windows\SysWOW64\YMcS.exe

Filesize
330KB

MD5
436befd69db32ad6d59bdadc81ae2e93

SHA1
295e88727f73d8008c16998b0695ff9724b491eb

SHA256
a6b271d90b4683fe6ef43a769cbd01b504350eaebe50195ad311894b24dc78be

SHA512
4120c1d737edc0d7e20c28b71ca9e8565305b611a1eba618cc8b0400fe6ec0acaada16d3583a6a5acf46d68392230fc5c35d1ad753e0cf76450036e5419b9cd1

Download Submit
C:\Windows\SysWOW64\Ykwy.exe

Filesize
789KB

MD5
b0a438fa32cad304b12ea509be6f4f72

SHA1
504c63a21b6034eb1f88cf0d31b5afe5ef21cda0

SHA256
bdb46f1cef1b8325346407de99573caf2e5c911341476821724f1d874064fe1c

SHA512
c3663b7e57ccf20aa92352a4395795f0a2fcff90b7832a8d1284b34525dcc61439c99624c55eef400989fd0565df82089aa8aa76f3ed4222f677e7d96c44e7a8

Download Submit
C:\Windows\SysWOW64\Yogg.exe

Filesize
228KB

MD5
d16a636bc0bd6e21a950b8879d557330

SHA1
64da0aaa9f7f040b938e25800873dfb6c266de0f

SHA256
715bfb651d28e677ed7c3c889bc7937fdd9212189a72c0b76cf3f2796f8cb1a2

SHA512
124855b67771a27d500d8b3e465a36c41f061fd92af862a1827dce38dbe1a0469ca8d08d30b3b387d39f55cef8f5262d92cb7c03ce18fe03e3d1e476e5ec8ca9

Download Submit
C:\Windows\SysWOW64\Yssy.exe

Filesize
189KB

MD5
b28c8a2f35cfcac0880e31bb3c69881f

SHA1
9fccaf8f2c45dc02819ec77410f8ab7249fee5c4

SHA256
b668d660576c966bdf8426ca9457bbf82ed0185652d625290ca9703fb4450580

SHA512
01812201d4d1907cfc3cc82cf25fe490a80a35b0a3db16e2cc8b590bf6686d47f1d93d0608c617a2b764ea874c346053b031e7d73ceb388fce7f510d57cf4e73

Download Submit
C:\Windows\SysWOW64\aAEC.exe

Filesize
853KB

MD5
379324b444c77b66f53bf7fef7123774

SHA1
d10e155991fc6078603a3cbc0265c0bfa213c5d3

SHA256
64439aa6ea10a125fb9f87cdc204ec15a156c9e6e762932ca8aa337f5dfcee53

SHA512
a6349c0de196661e165f53a75d20339923c7d198ff36567292171d58b79892961bb286b66587ffbe7e27e9c44cc0add1e38adc377a92c876dd301780c3d48814

Download Submit
C:\Windows\SysWOW64\aAIY.exe

Filesize
189KB

MD5
0b475ec396be08c92dfaf234ab738e4d

SHA1
a053635e06719a66e82eaafe91cb105fbb677543

SHA256
cf027d12a47df486a03eac2f0be903ea45ed48fb518c7e16d694d7bfbf62d975

SHA512
19308e91d1c93cdb5ec5dd0a9dfb96ab7df79ce966b885de3133ec7487aa9f9c72985f2552de145b8000a2ef912e56c209b59d2c1afc24f1f06692a15412d736

Download Submit
C:\Windows\SysWOW64\aAcU.exe

Filesize
208KB

MD5
560240852ac418a61828bee7e7e12bb5

SHA1
d334f2645c2e65d85dc4b0280fcb2e51d7e840af

SHA256
2eed830fb362e2b5241cf6e660cb8fc1ebf3c593a985609e2692a53666ce242e

SHA512
9fe42b3886218e71c6e0d93d9d7442a1526a5dcaa094e24a00009203be613c046dc7fbd1de040ed26de3f3413498464345490e744104e304eafb0982bd69efff

Download Submit
C:\Windows\SysWOW64\aIsk.exe

Filesize
824KB

MD5
b0f6502ff283c328ce0b78a18da8e8d4

SHA1
eab1f01cf2913949618a631182ed5792a1c4ece9

SHA256
44a9f7c3ff0a7701becf7d7924bd0b8079a1e3fc65e4a40a191ea3c62a097721

SHA512
ac30b0af45970d1515bf79d0d2deaeb4ba3de31727e648060c69f6da015a98aee7cb7e00aa34bfb63d92eac380bde21ec8bd384383b7ef033c21e3d363e22464

Download Submit
C:\Windows\SysWOW64\cQsm.exe

Filesize
230KB

MD5
42d2176b4bb94da9e6c107806ae01010

SHA1
8c6c2e215d74670c88d2442e6930286de4aab81d

SHA256
a2e36c4066a21417ed1d541ca0a433677243008ffc7ce5e3212a0b69f9788219

SHA512
e947d5c951003d216cdbcbb2c8d8346ef89b462ca0bc474f47d7b3ead6b29f5c7c14aaa3fe60ab16e12d5d6beb8d6f60f8c417f0f19c2641edbdedbe8421be61

Download Submit
C:\Windows\SysWOW64\ckcM.exe

Filesize
454KB

MD5
e97a1144cc855e767f9a8de5d9892e9d

SHA1
7dceb88972416497184e4fe5b001194fdfde46ec

SHA256
dfd14ed68bdaac93fffc6f4c6eb3a45a664dbc0dca442867601d8289671e25c7

SHA512
aea8941a90c4dbc044900149f846962f5ea84665404fa996c456d0c28bac45cfbc93f944173fc5e52e00393df78d16a4736e9630bb9be6f2cc52ab0018535c0f

Download Submit
C:\Windows\SysWOW64\cswS.exe

Filesize
204KB

MD5
35c845d2367b9ae8253b4bb88e0ce4f8

SHA1
398eadaa99a5c0739f9d5f6d55968977d859defd

SHA256
094462154a6f34ccfa59bec8121ca14640d46ceee71611ec4ffb56177db9afbd

SHA512
e18af2c224d2c57d8b323514230d668d67c69696eafdb4997a95844ae068566dfa6f21827db0f774294b8abdc84e3c95f42d030a12553a84fb8bcc46d6fded8b

Download Submit
C:\Windows\SysWOW64\ewAI.exe

Filesize
202KB

MD5
a5e44788966053db5b3d6887834cb985

SHA1
f44d303c54cac0b5e4a4c711608c9d849b4f6a7a

SHA256
2037cc80fd7d5b40cf8e9b7941821c90b97a4b4b1ea4eb732e24d4f3b7ea494d

SHA512
9d96c51eecc07cfaf6a4aad54860fd83b4d744c95e1a64554546ee977b5e07eabf597c1d208d40fb48272f386818824cc17dc7ce5c8ebd04ddc3cf918133a9c2

Download Submit
C:\Windows\SysWOW64\gAMs.exe

Filesize
643KB

MD5
9c8f89e989de5629dd495f668f476c4a

SHA1
9e9159ec4933036a2ea2428c3d5bf77e400ba296

SHA256
4a6a89b70bc453a99d403e98847aee8ade851394a43fc51a3e35d1ccc5bdd552

SHA512
ba31936d4fd5ac7ce0ebac0c3ae0220b44c2a53f042eba70a68947543f55b85179f4ff804220e724fa125316bab76343103876dc71692a9a3cf131ea9c1327ca

Download Submit
C:\Windows\SysWOW64\gEYC.exe

Filesize
190KB

MD5
d6932ed5a83e2bed0eeeca4d833f3d33

SHA1
da412a13976db7d6f8a2ed5cad9eab18ae67426b

SHA256
d43e192ac50d6ca36478b2c8dc689f4244074c31f49fd170666115f115299035

SHA512
4904e4495555247cdcd6a0564863eee48a77a66e9e4be379dcf9f225d8a6ace52066e53b9b8ef88e0b7fdc1ae868cd8b7f91f13c7de666d2a9ea2039ee01ef0d

Download Submit
C:\Windows\SysWOW64\gMMu.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Windows\SysWOW64\gQUw.exe

Filesize
798KB

MD5
e7bcb1a35a916267a52abf8d1d98b656

SHA1
e28206d740492d18ee23749f884894c9925baced

SHA256
2d125e5be0b8b55fb2ffc251296f8a22aa1624f6e620174290cb0e90b3d95f09

SHA512
82b028398eec164f7584a3983e0fb865df828d204595887e4dfe22131a62b0f1570aa77b0d5ae5d48478cbecaeb214ef994f6fe1b8f99643c016c855a78a582b

Download Submit
C:\Windows\SysWOW64\gQso.exe

Filesize
247KB

MD5
57173c3cbe2f76629b13516ab0d25329

SHA1
a8f8b4a565d53cc8cd4c561bdcbe13a0686a95bd

SHA256
3bb302dc9ddc235520bc94aabcf269f6f9585353420be01bb8c57af27a6649af

SHA512
f3e4af7fdf4272641ffe3231f0ae126c954c4830bd0834c335d9f4c85d7795e87c91f853441f3da9d508b7b3cd7d9f0b84c868dbd0e0fc5b206578e0340ae677

Download Submit
C:\Windows\SysWOW64\gUAk.exe

Filesize
203KB

MD5
e26439948bc70544a8afcd72ceba9c47

SHA1
f8902bb10307edacef53a6e81bb0c9a1a007a64b

SHA256
f7a2f04bb29cd91de891996b062455e9e31ca7de4ba3beb57f3807c9fc456100

SHA512
95b575295682fc73ca2a0495c1cef632fc55310ae3c5261fdeccbb18a59d5de74221c28405b2b474be8b91aac6cb95c2b61e010707449b929f4f8ff913d9d84f

Download Submit
C:\Windows\SysWOW64\ggQW.exe

Filesize
828KB

MD5
e0a423fb29a1783a7cde9677a00acc35

SHA1
38ca3c02c06cb1674ed753b063473ea877225aef

SHA256
72021fb7d34eec51ad6d00355307f952d8ac15c2cc5fb2e8854c98ba64252d18

SHA512
3976f640964eaad591745aea48c7b36568de068327371ce8fc0e40274c887adbc6e7399d24d9ce8445497d026f1ffd0afcb23e11c1f17ca6a08aba1e62f48f60

Download Submit
C:\Windows\SysWOW64\ggUg.exe

Filesize
592KB

MD5
8b18a817ee452bbc227eaf610129e28d

SHA1
08b2488e68791e2a9ef459ade2b58e215ae4f656

SHA256
123840d0e3115148d2cd94cc8169beb0662dbd6111fca3b7c78ce6d9bccf5717

SHA512
469c1ebe3cfdfd7690965a6c70d270754506b7ba622e135323c0abce6011f7558e21f151cc0373944d03871b6dffeb5c4e66f982a67f7cab33a5eea3aafb17a5

Download Submit
C:\Windows\SysWOW64\iIcG.exe

Filesize
192KB

MD5
554b55c5b814cb3bb289168b8c776f1f

SHA1
21cc3a655e3047aed58f604383aeac002779f8c1

SHA256
56930db1091f2a716f0223730b70aa8aade78312c12326e9b0d8b3276beaa846

SHA512
d0af4f10d47ad8e13c2b88c4500c85a63e28fae9c5ecda4ce3a269767e211fcf9367c0bcec077a4be983b7aac39da03654f4e0a48c253c896737419c73df125d

Download Submit
C:\Windows\SysWOW64\iMIm.exe

Filesize
235KB

MD5
c9f995d5355b6ebdef5b9a5200f41d80

SHA1
7e128f1f0480c0f0df0adfb1b8118ff8d71deb5c

SHA256
a463edc8bf0769f5ad8a4838c70644229119abbfb67e0526f540a9784bab089d

SHA512
cbcccc443f70448c1587468cb819fa1995aa6beb5e8713177f1718809f79724604200dcd2a933013ed718d844b74742ea561c0eebf951bb96fa7e683e69c8eb7

Download Submit
C:\Windows\SysWOW64\igQy.exe

Filesize
205KB

MD5
be6632a8434e1b598df15281a2218bfc

SHA1
e4d53f7636ea8abd05fa7e33ad29514208e25c3d

SHA256
6331896ad36620b09ef7ac7e777ebca690dafcd389d16781dbd4e174e16e7677

SHA512
14ecdb65be90e205d59e00ecb21f962f3d0e5beca22568fecf82adfd49dd17b36850c6d6d398699214b51293b6d61df6025b872bccde0ed881fedbb90721c65f

Download Submit
C:\Windows\SysWOW64\kAEM.exe

Filesize
202KB

MD5
f51058d7034c5ce44661008c837e8579

SHA1
83e28d316a64cf5debdccb946d8d8e203a4aa017

SHA256
9b0947ff2b09c204ec451f99056204a73c03750b143971eb4942684022d65bf5

SHA512
89049ab87e04a62b48bc8982606070bc985dc13261e38e1abc31830adfc8236740da11c5a90acedf128ba7b9663afb9b99b2216a798a053ed71651eb6a52a023

Download Submit
C:\Windows\SysWOW64\kwsk.exe

Filesize
5.9MB

MD5
e5c236b254f4b42e56f3314a7fe60e0a

SHA1
8002b568a37ca24d528f84cbd8d594b93d591e93

SHA256
1f43fbf423db92b1f8a31ccb69e09d7fa5ae68bccc4792da1e240673d1826d56

SHA512
1842bf7099727d30e554165e18592c344e0b546d93b72f278b1c78edc6094c08349157b26a8c2544dc49d423bf7379ba3ebb2778250f97a1349b19f08e3c9c4c

Download Submit
C:\Windows\SysWOW64\mEEi.exe

Filesize
420KB

MD5
4628a4255f4cf3e256b1b9bf7f4cef5a

SHA1
e559271385b354aecafc7dbe2d96d8108fb1bd41

SHA256
0dd6ae9eedc5a753622bd3cfc6d1730ac3671916ce5fc816b16e62961acfe448

SHA512
d4cd3cc1164105256c022422247efe5ed35c969d0a6c0e1984d09d8bbe059bb69772ca105278ac3c808fdddd3ca957dde4213789610aa19a6972b13520de43ba

Download Submit
C:\Windows\SysWOW64\mEoY.exe

Filesize
986KB

MD5
fe239162b19f6015511b07f345fea9d9

SHA1
8845c7b9a43c381b6af293cc28c687e98c00b28c

SHA256
9219e644627f92ce004f478384347aca4eabe72326c3af2d50ff1872b485885d

SHA512
5ddc7cc0d4303cc2c3f19726aaec8a04f3530f9bcccbaa4511873c34c7175187ea8ed46c15162fe25f70208c3af2028a2a917fb5a873dd32141c6b767455c8ae

Download Submit
C:\Windows\SysWOW64\mUsG.exe

Filesize
5.9MB

MD5
331e29f8fddcb9b458582c4aab7b578b

SHA1
c2c2af0446da3aca4031e51908d721b6d22d1b75

SHA256
64b20e31a364fc053f888690759070fbb6409453dc65337eea9dd277bafa5bd2

SHA512
0a819e66fb205f52c630818188659bc7a38cc5fcb9ef8933cdf5afbe6cf6e7ea1b924ad322dc4b2912b57c8b7b2f827d4473d8fdd09d7a2983f22d53a8391aa0

Download Submit
C:\Windows\SysWOW64\mYQS.exe

Filesize
190KB

MD5
6b9a24b1d8d7342f493c510d6c3b3b8a

SHA1
f521056a99ef8d4c6a1147de465717f16df03e39

SHA256
c06622544802dde707aafc6d7343064b0af4e6fd95890830b50e92886716d888

SHA512
64bf41f919885e704916091a86fd80a86e12ddb0568c75a146741a0c55b50b6ee7e0aa65a0a44f667128feb6f386e1ff7a534956e36ffb4a42f50cd8e5e1746a

Download Submit
C:\Windows\SysWOW64\mYkG.exe

Filesize
210KB

MD5
3c8be912cf4a8b80b9da17f8790c281c

SHA1
33b1e4411929fd5a4ec3d462053f222f4dcb5f25

SHA256
771138c2477d988d965b7e636c362e4ec46d3c2ddcce0d1f027c6d13dcd3f76c

SHA512
36f33e54556f3929c42020959619af2e39aed3d48f5d14d6066d12ad569c2730e934a6b646df37059258a2cf64f8097ae15861d8a3a3ec035b3df46debe5ebea

Download Submit
C:\Windows\SysWOW64\mgUa.exe

Filesize
203KB

MD5
68f3ce077f86a8260db163a5744352b1

SHA1
1c3c84a267986ba7c73e95fa3d93278d7dd2778a

SHA256
2bbce71c90ad5d5fb47f3f0dba4750e46de52841d2d7f6c777e23b67d9219d49

SHA512
fa16776df7ea0d32f1f94d2f716d5ee80ea1b9a4c348cf7c237715a1a5b8c63a326517ed38008548102d8c264e96fc256f921fe3986b0b3607fdfdc0a3bb3ea8

Download Submit
C:\Windows\SysWOW64\oEEU.exe

Filesize
549KB

MD5
e23c512808c86640b87a036d713e058e

SHA1
88b7643eb6320d8fc115263a00955e708bb88951

SHA256
75d4beb2f998d0fa962817498f7a4e182822d94bd47effb43a85273b21707a54

SHA512
3cce356b37b61c2b2e2ac051d923434d4c5bb2ef02890e6b35af10c947cdd6d17f6d51ef63e36589e7a2cea7d0139fcad6b7f001fb7a7517902dbe19a8a62041

Download Submit
C:\Windows\SysWOW64\oEsk.exe

Filesize
651KB

MD5
a04819ff0a08c3e699de50c17d100cd9

SHA1
c122fcdfccd722c1cafa571190582af24e0fb10a

SHA256
53bff8cd397223fcbfedd4f97af7cfb54ef79df93686eb3d9b1c416698b3de0a

SHA512
68a360c88b92127243dbf642b8eebe05bfee486a616e8c53052d52f1ea76c20eea164702a4aa4878fe87c71687369c79f70106a9c2a9a9aff219ce7e310d3f1d

Download Submit
C:\Windows\SysWOW64\qEYc.exe

Filesize
325KB

MD5
d133bc5dd4e7fe24fffa8df64f4f62d4

SHA1
e027ad13171918229f006903b024ca6fc74dd40f

SHA256
958a6a70202210caff243ef466f9730b2848c987da813c74fb7bbeefdfde7120

SHA512
03c6c639b6f4a5ee73fe9fd02b539d57503fe98eb9c207ade5000bc80c78b9e2176f116d95377af1ddbbe7e363a798f25ce440f18403dae4fee74a570670805c

Download Submit
C:\Windows\SysWOW64\qMIQ.exe

Filesize
194KB

MD5
ad9adcf081546361bf1f8c03d19dfeee

SHA1
89f55ff7a19cb80f36705914cc9b87c3701267a7

SHA256
e23d32eb614bbd2af72525e944cfeb3943d1386308335150629412c6219a9b2d

SHA512
b56f22c41e3e72f74cb16e138d2ee5bd3edfd98c0358c38970cee9ff121bce2b4333c95c44948323caeabc1fc69628e8e9788b8cdf83ba64d9fffe083274e614

Download Submit
C:\Windows\SysWOW64\qQcA.exe

Filesize
206KB

MD5
3d35a4509bd98aa5171a649df97ff2f7

SHA1
8a3391ade20a15142577276fea986c83baff0129

SHA256
6e91162275dbadb42b004575f421fd058157252f70b9f6d2aec0bd53d9ac0729

SHA512
d0de651b64f185fab675c162114ba796b8b5c6a5d9e91c4c1a0537c1d0536fe62cfccf44cf726549c5bd3598d18520283f29f764da5e9a50dbcac1cfa8f3f24a

Download Submit
C:\Windows\SysWOW64\qUkM.exe

Filesize
210KB

MD5
825e3cc56a1ad13711797413a7f9ed54

SHA1
8ac41dab6109b73ab30666e67d7b725ecf0f4125

SHA256
a34fcd677a1df13d42546bf0002afebb7db5f193649710c96ef1d93d678fabba

SHA512
e5c3b3fd70f69359f309d0b07acc66ab23856a2040107a33c5e62bda4edaece739c316ab040d72576e6fc926be297d15918a95842e82075c4fe9ffafe5938a54

Download Submit
C:\Windows\SysWOW64\qYUK.exe

Filesize
820KB

MD5
b1bec4e579125d9834b56f3439a80015

SHA1
644947b2ae9b8429da1b3fbba05197a64053cf10

SHA256
dc56cbc1f16dc90a76da344bb52438d6baaedafefc9dd784d379dec002a8934e

SHA512
d96bc5297546ff74607c023896a34bf4b5cf815fc87a2a7dd47d5c7fe2bea044064f60becbc0cfc7821b7c59bdeae2bacdd574b4e5ac4a3cf6326c5191be31ee

Download Submit
C:\Windows\SysWOW64\qccm.exe

Filesize
1.0MB

MD5
40d5f1fc2845430f6df07188eb8bce9a

SHA1
4ab0590186ad5d462863bbf8c3f8b3983dee4765

SHA256
7161eb08623848195fbe20bb2d9e8719cd2223b6739fc21f568e7d16198f6f07

SHA512
6aebc41b022ea636db935f51b6979c5993903ebd484e5bbb64040bc9d086d5cdf07bd869a88d4c07692900d9b14fdd1aea377bc9ac806a5c5eec8b0614a8f99b

Download Submit
C:\Windows\SysWOW64\qoMs.exe

Filesize
202KB

MD5
c822de10e53fbb59dc49bed9bb15ace4

SHA1
f02a2dc61f6e09508380625b4d64c147e93c203f

SHA256
644ca753990637d23a77c9b50a2ac7529db8a6dc709a26192a15da71745f7580

SHA512
d3a8a283d816749f40145d60331a8a3994bceaa1a1c8a677f82e925839944b95d825d4eeece2b9fd41019ed16a47b68e39ca5b43c79ba29ea7b1a0931f6e08b7

Download Submit
C:\Windows\SysWOW64\qsgu.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Windows\SysWOW64\qssK.exe

Filesize
306KB

MD5
22585f4453c9bb1fcf85703c510801fa

SHA1
e9df1c50e3d2beddbab90d3a8daf128c9dd2fb2b

SHA256
cc5144080551d82e1925448c71899f9a1c24640fc61104372ec14ddfc54a191b

SHA512
5d7963c8bd84236c3a300c2248e99459743bd89df82820f391820c957d13a3794644b24a4777db943931276be99d2edd9cfe2cf0c19afd0914e29ec1282fd902

Download Submit
C:\Windows\SysWOW64\qwEM.exe

Filesize
408KB

MD5
2c91cba15330cf184d5008463eab7310

SHA1
dc830a54985fa3cac4107627fd3cf2e4be403f09

SHA256
4c2adf4babe22bdcd0a38a9f5012d5a3bacdb3e74beb4a9466667f13916fc0ab

SHA512
2854ef8b07c1f3b4f7d2d0692b7ea319b1127a15ed6fc425a56db7b9835b1b1ea85e5c1b1c60f7fc1c6532a6c05ce8798dfd3c10d25116f2b582004ab7d88555

Download Submit
C:\Windows\SysWOW64\sMAQ.exe

Filesize
779KB

MD5
f9f0b470cb8856fbf933fbd505eed8d3

SHA1
99683d57f961849007e19cb97e1cb12b8c8305b2

SHA256
31206203970180ba3554633c92cd7af3d6c9e6db8b5d79ced439ba415e1f73ce

SHA512
697edd3d76776d3021d63cf6968068b1b4819af74119050e9dfac7c9369974bf7adf86dab411777bc1c42b4f4d6d2ff5573f9cbc814551965ca2615f6a280173

Download Submit
C:\Windows\SysWOW64\sgAK.exe

Filesize
203KB

MD5
1d040fc648e7b7d2ed880bae2e8c0aa8

SHA1
7622a7409112a05881f8d44f6f4da4d694246d76

SHA256
5f64759aeab22b72549d6ed469ec7a96075e5a302946e25738fe3b48a7f5c222

SHA512
a63790d58f2aa627e02e8b044b1dd9cff5fbfd7565653201fd9f4ca50965435dfa2a84a351644b867ff4cf2029d20e56c147a063d30eb4dcdc3e56121498fcaf

Download Submit
C:\Windows\SysWOW64\soIA.exe

Filesize
635KB

MD5
b3f336d1735889e70fdcda9dff958d30

SHA1
feddafbf93474c088e7b07ef6ff6b1c6413e4dc8

SHA256
06bcf47fb0a3d5aac2eed098f0e4d18970a873e2a60455ac63690ab1d5412922

SHA512
437e4e3c7107c009f116dda8d12b68f2fc571fa3ae3329cb3ea526ad4d0d37dd0ba0a48cc4e2dfa5c4ee9fb270eeb2abf9dec45189cf28a6ace7ad76d075b359

Download Submit
C:\Windows\SysWOW64\uMEg.exe

Filesize
797KB

MD5
3bf4b1c3c3a5e63a9139736155849bc6

SHA1
743d70038a3f0cafe491b591669dce0bfb65c559

SHA256
db4df993b47ee95e408db319cce786b6eded0c848b4b489dc123fe671cf1863d

SHA512
2c6287d0ff96da60ac5d36456b1787e5fe107abea289b399730bb312b941f4caef24a4e09f9fbcafcd3791e594f314c8afc7664521044bda3f08cf10cf972bfc

Download Submit
C:\Windows\SysWOW64\uUUm.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Windows\SysWOW64\ucIm.exe

Filesize
190KB

MD5
27c8d4b9cd5038177264e10ba2f8aaba

SHA1
da613cdfd38f38909213acc21adf8b959558ca46

SHA256
a6749951ac6efce0e418393b15841d6a5555a38c0f7e578988223c9c1de2d9e5

SHA512
d196121e89ca4ef78fdfc42a83c89f3c9da8704706c690f55557cd07d17c08d4d1c9a08feed73e664ab8ccaa29cd59451dc13e9f6261a1e3ae0db094cd75e15a

Download Submit
C:\Windows\SysWOW64\ukME.exe

Filesize
188KB

MD5
d941ccd0bcc72eea234a7017760b953a

SHA1
2c038702d6397d2b2d3f74948e4b89d5f25892bc

SHA256
ba9063576aa3d961031c5befc54905e9b1abc4e1693d956f39a4a87dc0cbcf69

SHA512
bb95da34c7689ebb60fded792a972e66dab957999e98b917f63db3da589f2e0041c123ab15bcd3d51df1916fe9c297c583da96c24b98d8496671b22d6fed15a0

Download Submit
C:\Windows\SysWOW64\ukck.exe

Filesize
198KB

MD5
a7af687b8e403cb1e8320d62926cc1df

SHA1
e0ddf6abea1cbf1c7e84399081aca699a0766942

SHA256
234beb60f37e73de421792cc9d9858b7ae70db309bb981f46c92590ee77591a3

SHA512
06260532a7e355335b51fc3e92cffb7ae729f832383b76b3827ad1bfb6716e8f45d8b8386cdae387ca091a02974853a33515400ba777ea3dccc665ce9185470c

Download Submit
C:\Windows\SysWOW64\woMu.exe

Filesize
204KB

MD5
bc50fd3df9cef4da2767abf31fe1b1ad

SHA1
7d7eef97d503c8029e039061e9ba41969d1cd3d5

SHA256
be4b0dee1823e83fa6aa59193247ab366f205c92f465b54d3eb40383d0cf3349

SHA512
55cf1161d3b3e8e754b6edf6dc45504869e56988abb4a8c627de2f7c35cddeec8eee22b68925d7dd9e9265167c3a9df6eee4790ebfdf3dbc8571da9ef0995c04

Download Submit
C:\Windows\SysWOW64\ykQs.exe

Filesize
636KB

MD5
e3bcaf3bf116e36866ddfc024fb41b99

SHA1
442feb0a92923cc788d2e40d064194c8c037fab5

SHA256
955ccd3b67726008cb85301054a318c7dee9417cdd0f2943d8c9bdfcfb98a6cd

SHA512
4cae63cc964a1ab0c98b8bdc16e3f480eab7cb3d442c40f80eda80d4d5f45f8b0723d7182c3dcc4bf85d120ae856fa7af881671bd6aac72765b71e3f5c7efccc

Download Submit
C:\Windows\SysWOW64\ywEW.exe

Filesize
677KB

MD5
f734626968bbf3882f371eadc4086934

SHA1
75fce09d19a72d89db014f73394dff07cc579aaa

SHA256
fea3025b3eac8f975387b756da3f8bde047b67891383cc0cf71dccb72c9caf7a

SHA512
67e11f424be00c8b5841eb61c2dcbf3a9b29086d68d6dbe75b573b5e23afb00491ba598610222bbfd4fce790301354351ea352579fafbb16ddbc1820d5324621

Download Submit
memory/404-913-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/532-869-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/624-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-809-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/624-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-607-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/692-817-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/852-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1020-1004-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1120-737-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1120-660-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1120-668-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-1021-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-1032-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1260-886-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1260-877-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1384-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-765-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-774-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-861-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-949-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1472-959-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1520-659-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-986-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-694-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1608-519-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1608-532-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-932-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-921-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-747-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-799-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-580-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-588-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-922-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1972-912-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-825-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2120-641-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2180-702-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2292-1020-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2324-940-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-579-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-397-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-755-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-994-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2704-649-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-766-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3024-517-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3084-623-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3208-721-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-633-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3464-399-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-787-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3652-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-843-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3688-968-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3688-960-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3852-425-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3948-1012-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4020-552-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-684-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-571-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-790-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-729-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-948-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-904-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4652-844-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-852-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-615-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-589-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-599-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4732-835-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-505-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4788-976-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-711-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-703-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-789-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4960-791-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-781-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-676-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-878-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5008-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-896-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5080-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5112-536-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5112-544-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download