troldesh | hxxp://google[.]com

Analysis

max time kernel
250s
max time network
307s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-11-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

troldesh defense_evasion discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 45 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Downloads MZ/PE file

Executes dropped EXE 49 IoCs

pid	Process
3508	NoMoreRansom.exe
5064	PolyRansom.exe
1660	HwEsQQAA.exe
3468	BCsMokgw.exe
1776	PolyRansom.exe
3900	PolyRansom.exe
1724	PolyRansom.exe
1540	PolyRansom.exe
1136	PolyRansom.exe
920	PolyRansom.exe
2848	PolyRansom.exe
8	PolyRansom.exe
2328	PolyRansom.exe
880	PolyRansom.exe
1012	PolyRansom.exe
4640	PolyRansom.exe
2152	PolyRansom.exe
4740	PolyRansom.exe
4024	PolyRansom.exe
1720	PolyRansom.exe
744	PolyRansom.exe
1052	PolyRansom.exe
1136	PolyRansom.exe
2768	PolyRansom.exe
968	PolyRansom.exe
2392	PolyRansom.exe
4104	PolyRansom.exe
4564	PolyRansom.exe
1316	PolyRansom.exe
4868	PolyRansom.exe
1524	PolyRansom.exe
5052	PolyRansom.exe
3344	PolyRansom.exe
1892	PolyRansom.exe
1564	PolyRansom.exe
1180	PolyRansom.exe
1588	PolyRansom.exe
3020	PolyRansom.exe
1532	PolyRansom.exe
424	PolyRansom.exe
3552	PolyRansom.exe
3020	PolyRansom.exe
1372	PolyRansom.exe
424	PolyRansom.exe
4624	PolyRansom.exe
3612	PolyRansom.exe
3880	PolyRansom.exe
4956	PolyRansom.exe
3144	PolyRansom.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HwEsQQAA.exe = "C:\\Users\\Admin\\OsMkwgAA\\HwEsQQAA.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BCsMokgw.exe = "C:\\ProgramData\\mewAcAkM\\BCsMokgw.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BCsMokgw.exe = "C:\\ProgramData\\mewAcAkM\\BCsMokgw.exe"	BCsMokgw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HwEsQQAA.exe = "C:\\Users\\Admin\\OsMkwgAA\\HwEsQQAA.exe"	HwEsQQAA.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
59	raw.githubusercontent.com

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3508-805-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-806-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-817-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-819-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-816-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-831-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-832-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-851-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-919-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-1216-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-1479-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-2571-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-3643-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-4309-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3508-6224-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2372	1532	WerFault.exe	661
3060	928	WerFault.exe	660

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCsMokgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HwEsQQAA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752087980577396"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3852	reg.exe
1896	reg.exe
804	reg.exe
3880	reg.exe
544	reg.exe
4820	reg.exe
1020	reg.exe
3344	reg.exe
1564	reg.exe
1008	reg.exe
2336	reg.exe
3960	reg.exe
3364	reg.exe
3256	reg.exe
648	reg.exe
576	reg.exe
920	reg.exe
1160	reg.exe
1948	reg.exe
3076	reg.exe
4540	reg.exe
3824	reg.exe
2980	reg.exe
2200	reg.exe
2848	reg.exe
3752	reg.exe
4208	reg.exe
4588	reg.exe
2700	reg.exe
1424	reg.exe
4648	reg.exe
1720	reg.exe
4620	reg.exe
3412	reg.exe
4108	reg.exe
3480	reg.exe
3852	reg.exe
4340	reg.exe
3756	reg.exe
4620	reg.exe
4532	reg.exe
3344	reg.exe
1376	reg.exe
4148	reg.exe
1136	reg.exe
3040	reg.exe
1948	reg.exe
3688	reg.exe
3180	reg.exe
3084	reg.exe
1012	reg.exe
8	reg.exe
1364	reg.exe
1376	reg.exe
3984	reg.exe
2756	reg.exe
4588	reg.exe
2512	reg.exe
3376	reg.exe
4852	reg.exe
2164	reg.exe
1540	reg.exe
648	reg.exe
3992	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\smb-z7uhqxx6.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
3060	chrome.exe
3060	chrome.exe
3060	chrome.exe
3060	chrome.exe
3508	NoMoreRansom.exe
3508	NoMoreRansom.exe
3508	NoMoreRansom.exe
3508	NoMoreRansom.exe
5064	PolyRansom.exe
5064	PolyRansom.exe
5064	PolyRansom.exe
5064	PolyRansom.exe
1776	PolyRansom.exe
1776	PolyRansom.exe
1776	PolyRansom.exe
1776	PolyRansom.exe
3900	PolyRansom.exe
3900	PolyRansom.exe
3900	PolyRansom.exe
3900	PolyRansom.exe
1724	PolyRansom.exe
1724	PolyRansom.exe
1724	PolyRansom.exe
1724	PolyRansom.exe
1540	PolyRansom.exe
1540	PolyRansom.exe
1540	PolyRansom.exe
1540	PolyRansom.exe
1136	PolyRansom.exe
1136	PolyRansom.exe
1136	PolyRansom.exe
1136	PolyRansom.exe
920	PolyRansom.exe
920	PolyRansom.exe
920	PolyRansom.exe
920	PolyRansom.exe
2848	PolyRansom.exe
2848	PolyRansom.exe
2848	PolyRansom.exe
2848	PolyRansom.exe
8	PolyRansom.exe
8	PolyRansom.exe
8	PolyRansom.exe
8	PolyRansom.exe
2328	PolyRansom.exe
2328	PolyRansom.exe
2328	PolyRansom.exe
2328	PolyRansom.exe
880	PolyRansom.exe
880	PolyRansom.exe
880	PolyRansom.exe
880	PolyRansom.exe
1012	PolyRansom.exe
1012	PolyRansom.exe
1012	PolyRansom.exe
1012	PolyRansom.exe
4640	PolyRansom.exe
4640	PolyRansom.exe
4640	PolyRansom.exe
4640	PolyRansom.exe
2152	PolyRansom.exe
2152	PolyRansom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 3616	488	chrome.exe	79
PID 488 wrote to memory of 3616	488	chrome.exe	79
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2640	488	chrome.exe	81
PID 488 wrote to memory of 2412	488	chrome.exe	82
PID 488 wrote to memory of 2412	488	chrome.exe	82
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83
PID 488 wrote to memory of 4892	488	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb3e4cc40,0x7ffdb3e4cc4c,0x7ffdb3e4cc58
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1720,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2976,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2980,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4772,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4956,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5140,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5128,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5380,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5564,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5240,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4768,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=2208,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5244,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4564,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5336,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6112,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6056,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6092,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:2544
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6124,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5872,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6028,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5436,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4820
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- - C:\Users\Admin\OsMkwgAA\HwEsQQAA.exe
    "C:\Users\Admin\OsMkwgAA\HwEsQQAA.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\ProgramData\mewAcAkM\BCsMokgw.exe
    "C:\ProgramData\mewAcAkM\BCsMokgw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    PID:4568
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        
        PID:2828
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        
        PID:1500
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        
        PID:3020
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        
        PID:5052
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        15⤵
        
        PID:3256
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        19⤵
        
        PID:4852
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        21⤵
        
        PID:4776
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        23⤵
        
        PID:2464
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        27⤵
        
        PID:3688
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        29⤵
        
        PID:4532
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        30⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        31⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:1504
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        32⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        33⤵
        
        PID:4716
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        34⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        35⤵
        
        PID:3256
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        36⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        37⤵
        
        PID:3980
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        38⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        39⤵
        
        PID:2964
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        40⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        41⤵
        
        PID:3612
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        42⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        45⤵
        
        PID:3472
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        47⤵
        
        PID:2256
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        48⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        49⤵
        
        PID:1376
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        50⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        51⤵
        
        PID:876
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        52⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        53⤵
        
        PID:424
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        55⤵
        
        PID:4908
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        57⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:1244
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        58⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        62⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        63⤵
        
        PID:2508
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        64⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        65⤵
        
        PID:2340
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        67⤵
        
        PID:3412
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        68⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        69⤵
        
        PID:1204
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        70⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        71⤵
        
        PID:1232
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        72⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        74⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        75⤵
        
        PID:1588
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        76⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        77⤵
        
        PID:4340
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        78⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        79⤵
        
        PID:1180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:1524
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        80⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        82⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        83⤵
        
        PID:2980
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        84⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:3688
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        86⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        87⤵
        
        PID:2512
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        88⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        89⤵
        
        PID:1264
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        90⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        92⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Users\Admin\xEEkIocs\cSgUwIEk.exe
        
        "C:\Users\Admin\xEEkIocs\cSgUwIEk.exe"
        93⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 236
        94⤵
        Program crash
        
        PID:3060
        
        C:\ProgramData\rGAoYAoE\vWkgwoYg.exe
        
        "C:\ProgramData\rGAoYAoE\vWkgwoYg.exe"
        93⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 236
        94⤵
        Program crash
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        93⤵
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:4388
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        94⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        95⤵
        
        PID:1584
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        96⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        97⤵
        
        PID:3020
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        98⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        99⤵
        
        PID:3032
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        100⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        101⤵
        
        PID:3504
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        102⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        103⤵
        
        PID:1020
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        104⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        105⤵
        
        PID:2700
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        106⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        107⤵
        
        PID:3412
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        108⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        109⤵
        
        PID:3084
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        110⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        111⤵
        
        PID:440
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        112⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        113⤵
        
        PID:1900
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        114⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        115⤵
        
        PID:1156
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        116⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        117⤵
        
        PID:1596
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        118⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        119⤵
        
        PID:3720
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        120⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        121⤵
        
        PID:4796
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        122⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        123⤵
        
        PID:4580
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        124⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        125⤵
        
        PID:2968
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        126⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        127⤵
        
        PID:3412
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        128⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        129⤵
        
        PID:5004
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        130⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        131⤵
        
        PID:2340
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        132⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        133⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:2492
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        134⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        135⤵
        
        PID:2256
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        136⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        137⤵
        
        PID:712
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        138⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        139⤵
        
        PID:4620
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        140⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        141⤵
        
        PID:2660
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        142⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        143⤵
        
        PID:1180
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        144⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        145⤵
        
        PID:3992
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        146⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        147⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:1900
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        148⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        149⤵
        
        PID:2508
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        150⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        151⤵
        
        PID:1264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:5052
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        152⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        153⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:1716
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        154⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        155⤵
        
        PID:2372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        156⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        157⤵
        
        PID:1456
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        158⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        159⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:2940
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        160⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        161⤵
        
        PID:4848
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        162⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        163⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:1372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        164⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        165⤵
        
        PID:1316
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        166⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        167⤵
        
        PID:4360
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        168⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        169⤵
        
        PID:2508
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        170⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        171⤵
        
        PID:4716
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        172⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        173⤵
        
        PID:4564
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        174⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        175⤵
        
        PID:1072
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        176⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        177⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:3900
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        178⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        179⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:1060
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        180⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        181⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:2200
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        182⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        183⤵
        
        PID:1192
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        184⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        185⤵
        
        PID:1440
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        186⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        187⤵
        
        PID:2828
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        188⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        189⤵
        
        PID:8
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        190⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        191⤵
        
        PID:648
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        192⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        193⤵
        
        PID:3660
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        194⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        195⤵
        
        PID:908
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        196⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        197⤵
        
        PID:3480
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        198⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        199⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        199⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        199⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        200⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        199⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sskEEUAU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        199⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        200⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        197⤵
        Modifies registry key
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        197⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        197⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwkskgwQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        197⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        198⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        195⤵
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        195⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        195⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaIQUkYs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        195⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        196⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        193⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        193⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        193⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        194⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acoUsQQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        193⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        194⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        191⤵
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        191⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        191⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GusEcoMo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        191⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        192⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        189⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        189⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        189⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCEMsQwQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        189⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        190⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        187⤵
        
        PID:3864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        187⤵
        
        PID:1720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        187⤵
        Modifies registry key
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwMkYscQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        187⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        188⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        185⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        185⤵
        Modifies registry key
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        185⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqIEkook.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        185⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        186⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        183⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        183⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        183⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsYokAQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        183⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        184⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        181⤵
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        181⤵
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        181⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COIUsAEY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        181⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        182⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        179⤵
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        179⤵
        Modifies registry key
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        179⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGcUccQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        179⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        180⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        177⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        177⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        177⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIEIcosE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        177⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        178⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        175⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        175⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        175⤵
        Modifies registry key
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIAcscog.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        175⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        176⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        173⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        173⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        173⤵
        Modifies registry key
        
        PID:576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuIYIYcE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        173⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        174⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        171⤵
        Modifies registry key
        
        PID:648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        171⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        171⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOIsEswk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        171⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        172⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        169⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        169⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        169⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOAwwgok.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        169⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        170⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        167⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        167⤵
        Modifies registry key
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        167⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYIUggUs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        167⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        168⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        165⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        165⤵
        
        PID:712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        165⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCwgUskw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        165⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        166⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        163⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        163⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        163⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByMsAkQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        163⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        164⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        161⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        161⤵
        
        PID:1376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        161⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgYowUUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        161⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        162⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        159⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        159⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        159⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UokwosUk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        159⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        160⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        157⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        157⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        157⤵
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKwgcsgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        157⤵
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        158⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        155⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        155⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        155⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqQsQEkQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        155⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        156⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        153⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        153⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        153⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOUkIIcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        153⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        154⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        151⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        151⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        151⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGwswAIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        151⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        152⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        149⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        149⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        149⤵
        
        PID:1720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyoUscQw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        149⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        150⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOswQcIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        147⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        148⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        145⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        145⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        145⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQAQwQYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        145⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        146⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        143⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        143⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        143⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqcUAMUk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        143⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        144⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        141⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        141⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        141⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSUAAksU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        141⤵
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        142⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiAUgcMM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        139⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        140⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        137⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        137⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        137⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIksEMwY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        137⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        138⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swMEAgsY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        135⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        136⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqsskoos.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        133⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISAsMcQE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        131⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viAUsMkk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        129⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        
        PID:3388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fccskowE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        127⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCAIkEgE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        125⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkgIUkUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        123⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aucYEwAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        121⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSEYkkMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        119⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        Modifies registry key
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIAsQAIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        117⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIIEoAAM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        115⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUggwIwY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        113⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQwAEcwg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        111⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkEIMQIs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        109⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        
        PID:2492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgUIMsAk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        107⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOgEYUEY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        105⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:1096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUYscAIE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        103⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKcAwUQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        101⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        Modifies registry key
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryIEEccU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        99⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGQosUos.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        97⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMUYAsso.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        95⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        Modifies registry key
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkcssEwI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        93⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        UAC bypass
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCEgQEkg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        91⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        Modifies registry key
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsMMwcU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        89⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUEMoIoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        87⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        UAC bypass
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoUUkYgM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        Modifies registry key
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuQcMMQI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        83⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        Modifies registry key
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMAQAMAg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        81⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUUIMEwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        79⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        Modifies registry key
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiYQcEYc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        77⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYAEUkkg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        75⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        UAC bypass
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAwgQoMo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        73⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HocgIkws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        71⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqwgIAQY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        69⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        UAC bypass
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsgYcYcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQYUosIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        65⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuUQAoIo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        63⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iicQAIcQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWEsUYMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:1364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSkMksIQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        57⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKwAoYUU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        55⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYIwQkAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LssAMokM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        51⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsYkMUwg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYQEAwAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        47⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGMIAQog.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUowAQIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        43⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YywQocYo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        41⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAEEUEQA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        39⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        Modifies registry key
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaMsEEko.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        37⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcYckAEM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgUIYYIc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        33⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUcIMUoY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        31⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaQkEYUk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        29⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCwsUEUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        27⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucoIosII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        25⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKQwAUgw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        23⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEMQsscw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        21⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYwUooE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        19⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkYkYAo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        17⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAogMkoE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAksUoIw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYAEkckU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkYUEEQk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWcwcAwc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:8
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dawcQwsI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        
        PID:5004
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:4372
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faIMEUYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6212,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5864,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5800,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  PID:2584
- C:\Users\Admin\Downloads\InfinityCrypt.exe
  "C:\Users\Admin\Downloads\InfinityCrypt.exe"
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6204,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6008,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,7900076927040693283,17193945858281941972,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:1256

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1532 -ip 1532
  2⤵
  PID:3480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 928 -ip 928
  2⤵
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
16B

MD5
b16ec5689cea89f330932d404e7c4d75

SHA1
3f8adab6666f786fc5256dd9c5523bc58461048d

SHA256
433343cf1fcd841417dd2d54e284c2d52fe34af08c2a77cbf84eccbaf3a35909

SHA512
2f50df2bba2f6f3c0d602b8d8c18cc873ba9773010cf871e1898c0c84e8a8bddf4eaafdb3ae35f5c9efb2274adc6dc986a6803b5e46c198a744e05f5f7dfdaee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
720B

MD5
2ea627d3172fb93ea50e75e1f3ab167d

SHA1
df2362e2f14ebfb7f0e2369b03354c33faf73a2c

SHA256
64f6754fc3c0824a8855ee87967d261267723fa9418f2fddf8e3101258551b72

SHA512
f8ded7db5758786f503ea4be0fd4b597455a4b66e9ea6d01d687b5fdd0166bdc1421742ef5d5accf94262768255a133a0ed072f786dc3f745558ed6dfaeec653

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
688B

MD5
f777e12dcb8b773c58cd157060506fcf

SHA1
75d1ff77dbf439ad992ad9ca4a0408f9f77a3bcb

SHA256
c6e189f30f9c7baa9486ec251eff31728ca2a2fc40172f4430b45ffb52080f0e

SHA512
30891774217cf8048451998eb3336857ca9629cd13210e128668c9f941d0e510f921c95229a8607ac82af1c7d9314f2fe0d666d1e6efe552788f53f44ef12454

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
1KB

MD5
3290ee90dfabba137ac2669e2a940257

SHA1
b9599014a39e8b4c104334f1a9eda24a93fcd67c

SHA256
6dcb22d3828cabcfaf3e81b8edb09d22f1b98ca70474e1138cd86cc65f15f06a

SHA512
2d1155afcbb84b8d4b8141fe2b4227aa61ee6338ba027e6cfbda825ac0b9bcf154b3b8241bcd2e9df0803e2414e7bdf8e7ace229ac14da9a2299dfb01b8a975e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
448B

MD5
089ebf1c99117a229e1cb33485d0c102

SHA1
80e68f860f441880b4b62417527fcef8988ed60a

SHA256
b1b58f60f169854f50236fa705760828d6fb7c84d581d174f8c5a29aa8f3a0af

SHA512
f87b8ee1839f1bccdd2a9855b6925e71dc7fa0453a64009a920a1339073795ae02bcea9ddb22033881e8ed1cc204936d7e98e74b9bbf0046f0c956dc9850cfff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
624B

MD5
1c4534dce34cfe0d5dceb440da12dd7b

SHA1
ff01c3dab8e0c7bbd217f002e8c1c7e061f71113

SHA256
fd4ce0ce5c172e9a68eb2b8d276729b8331fe8c7e9507b8290b9af3417b0823a

SHA512
f9fba6145dbdac00336309c186835be2a0e1158f28884a5557e0faa4e1c39e8ffe43ac0a422952d2feabc313a21c81b6022edfdb7859b55a04755c6b598a974f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
400B

MD5
7ae941fb7631f7919d00bbb938a1f65d

SHA1
d50b4673b1ed2e84e60ea8bcd0a02d67fe19cfba

SHA256
e115bf222cc5c027c2c8fffe87170f49a062cfa5720d1e9b553ca89dc79c1d5e

SHA512
909cf3a45342018e3b5fa91c044b65f6a4f16c67b62565407161c73e18dccd847fc96172f642fa500f9e33b209b53e38c71835ab48ba87871d54afdc7faa9244

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
560B

MD5
d4371672145be96eaad9e331644c2594

SHA1
bd329f43d829201c21277b266554f867cf61f240

SHA256
fc89dbd950fbbbbfd8a4af767ab0eac32c84b72fd8f52fa2201e026ec0883f4e

SHA512
e1eab5482a13eeb8505feb7d9c765d8dcb39d0a393c01543eb2566151dc3bb3c4bf3f620f7bd33c2cb1bd6d0bfe538e4f95b4a0a2e7886bdbaa80c4984359858

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
400B

MD5
e31b2faf7c956779c001936f90c29428

SHA1
4f3f5cd881f26798356f1195ca4ba7aa5b4114a8

SHA256
c61f1f2e91f9a41065213affb247fb5b48d805c9d00108cd4c3f54563e8c2aff

SHA512
e31f897a38d398ceb15e896b54df1a9fb8c70fb9d8642c5423c27551b64ceb08cc831023b66f656ca81ca2c4280797f14b0d8d0713c98e93dfb1604c23700301

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
560B

MD5
31b2bc358dfd2e509b4ff6ee2846ab8d

SHA1
78ed882182b7cea7a4997efd787e640114d587b5

SHA256
fd321bd2483aa1a8c5c3a91b8f4ca9ba5ff125db0a325c913a15ce48aa556dfa

SHA512
fb6ee9c6c7da9b28a57eb33c36cdce336d0563c8017a529f275744e7fd2d9ed1835c2c1cad9dcc12eab214c7febee457db14632027e8eca66beee3b993a82ddd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
400B

MD5
805612153c2959c8a127dfb0b2ce42a5

SHA1
3e4f84f6f074a62cae7bb1b2ec346aee202317cb

SHA256
883aa6fae9bfd80dfddc7bdbc13bf0842ae2aa05417ebf1003a1b74a913dc018

SHA512
18f97b6da15aedf31207b56ff730f43d64920c8c69f8fc089e90000b10a4dbd9a1ec6c48ca02070cef5854bed7baf0d498acc4e64619f44fc017ffc102e26f9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
560B

MD5
bb54f05cc9d0e1603293ebd25a9ec504

SHA1
390fea86afaedfb7000902cb58aa9ffac46a2ef8

SHA256
96ea5e2a1ff4eb0f2b7a7fa530f5fa951c63359484dcb96446045eaa55a941cc

SHA512
217870f6f22813de1f4cc015ce3009393c812de431548f24998e683177fa9f5cd9b568d6daaa7bc4cd1b3e2eb12aa695f7955213f86b7674127b99eb9bb673f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
7KB

MD5
561d319c7899b6d8e07ee06e6177967f

SHA1
b94d69e0c76901a667502a7f2ccde65de93ef5c2

SHA256
04dac0007398c98b91b54c62bb6efae993349639cdf719d9406d599b28af1162

SHA512
0c68fc4f271db094791b1ab3e2f9f2e68350de3fca57916bb99af212ace288a42a0a529cbb2a07374526dc4163d1721ac7f517b9f4605c38338c918382aa4d13

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
7KB

MD5
3ba08b0078b2782c63b027c934152a61

SHA1
9841f3599fc65d91d17119a578b5f87b721483ae

SHA256
64fb1df92f89bc66b542821bfad226fbec2355356aa46be5829ff00fe6cfd04b

SHA512
d8ff4759cb7a3f1564f4a11c281b525617802bac7dfe0772b6bf9cdb00d990abb21540b397b13c34c90ddca3a0ab15237a6604e9bb512999d1112ed2b9725f60

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
15KB

MD5
de82015344c5dcbe49c947fea5d7e0c8

SHA1
da9c55348ca51944b18679487e4ae5fbceb3cd8d

SHA256
d7e605a2553af64ea2a66a8ee0aa66856c6bb5bb6d16180f092af6aee6d5481d

SHA512
7adec37610034681568cf8faccf1f9a035a6384cf072ce37787d2a4d2024fb90d30400074e746922fc6070299e47cef592dd4d12b079075a0d6748b8b3bf0712

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
8KB

MD5
c1fb4d38ce0983b080f32783a55959bf

SHA1
2c94938906cadcb1ce44c3e1660d88b38ac9e132

SHA256
2b8339025951c3575ce6be23ce3f90e9bcd39741d16939bad72ccbb6d3d62aaf

SHA512
987ee1699e676b052aa9fc0bb260073dde20aaa838edb8f1e9118846487c90b08934a3fa63d12b105d606d2c4378616b1fd668ddc5b90787a05204e3e6529c17

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
17KB

MD5
af1e0ff47b3f02a78e29f0073dc27f72

SHA1
be235e1f03576e5dba301ea0b6bdfc535dd14bdf

SHA256
b01c969995fbf74a541d7c9bb5bd48532d6940aa3120f10b77b612ed4f182e0a

SHA512
ce01f0b4e014aa48a57a2c946b627892ce41ac1effe5227c7abd93fb3385d813c623cbc6105d6dfe6d9e0f31eb26f7e991ff43fd73dc5c0ae684b2edcf2bb7a8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
192B

MD5
8658177738cab611dd7ad20763ba002b

SHA1
62e6e999883e989779bf5a0d5af71cb2d89a4540

SHA256
a9eba90fb355e6ed02d701ce4b36de3ecbf39029e9050bdd6719f3a03513cef0

SHA512
14bcf93052fa4ad1aa02597806f50fec3727e136c9c56752a4eca320095fd84804fcc28e7d4528dc27375cd9b93369bf9b90691832cd41d3ebaae6307001a106

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
704B

MD5
422c3474aa9fb4d179cdb359876bc6d4

SHA1
dfa10f38ec30258c0471476bbc96fa462549a77f

SHA256
a69ec9870046bd2ab8ff1db6b3458b5ee77ac22c393c0055e296b4268948d0dc

SHA512
8fb27b61a9df2fa88d89543a94aae20f207687bbb8eecb555d9d09db26eed46c44a4f49b1d46723d16abb9aab3755daded061938db6b0f6fc29ded0d28e16f0e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
8KB

MD5
84505cc546ff4e84272eb3beef3f9b3c

SHA1
619e5d5f775a43504c129dbce8c465d611602633

SHA256
ac1b210f3aa7abbd53bbfc2845536eff72b2ac4d879387ef85b83e91f41ad691

SHA512
24493098a5277497e6a0eec7d0b1476c385cf95e546de14cf4ec370b84afc3cb7edd1b280be49cbed3d365d5c38c7f648912adaa4eae359dd2ef6e5906651fc3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
19KB

MD5
451dd25254f487a3ef4382dd70910348

SHA1
8ad2ba5cdb16160ff8da1d7b9abf4db3b15680ff

SHA256
712dbb1f8a1736d13cc607ebc6d07463229158a011ff50de71903a967c159a17

SHA512
02dc540faa5952669d4f738a61bfe2e3eabddc908a63b0cc2a2daf9b64291484ce054905bc08c3a6fe26e003e26bc5fa55a184cadfcc7e9367b24e2b7c4dbea8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
832B

MD5
c3a54346792a2ae61141aeed91efa7b8

SHA1
6567a1a27a8e8c8d2af2032c61ac4143967813e7

SHA256
04e103cf96a35cb1799a860a689aca2473cb5e1d52adc922c9f3b70858e15c20

SHA512
c1b518de677f01db0b423df4ef9ff32af698b8c6934cf6c8a265cc10c5b604f31f4cb66c208c4c568d8664e40320e95a41e4d58a0758c7cf70e4104121f28e8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
1KB

MD5
bc79635a4c6e333ea56a4b5816cabd3b

SHA1
881d20371517b6ef793742875bd3c2f9f24d8bdd

SHA256
c62ff891da93643cd4ef05aac39ed22681939011d0ef7b712dbbf627dfef99c5

SHA512
1f8a37499ce13872671bafd2e47cd65564e7327f9e283eefe0f0d13dca62198fa35b0f47f1f4e9cc6c01d94b25d1c9e54e9dd084f7341368c98829ae8e32e788

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
1KB

MD5
b8719d76452c90cdcffb41b0a9ec6af0

SHA1
1cb4a196081083ace46af2930731e4d98c9d3afd

SHA256
52f33463484d0cb873f1d4e805e7bef9c36de0129703e84fe93fde2266ae33c6

SHA512
f8cfcb460210a50cd066ca6d4ae91de182f0b0c8b2b69e6237443a20fc30d5e1f67142e0f2f4098c76691ae67fd79fe41841ee7bd55214e7316bcccb11aa9f57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
816B

MD5
906c3cc4e4d7be6bd198d47975551edf

SHA1
19838189fc43e8fcee409fd7c947f5517dcf827a

SHA256
35bf4d3d61a0885419e7d64f18cf15d4872465a56b6349e613cddfe1b2da306a

SHA512
70124d9b4760b5b250f03ad0f7a83c8e26feeea05cd8ad5db22d3e7960611e2f1b25b10a4d7cd72c87c68a739c0b6498e92b08cf0924c73d5a62f694f7edf964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
2KB

MD5
2344b18180403538be0bf047c06ed38e

SHA1
0fd0320ebf1a6b29cc5ec9eea866fa871d83024a

SHA256
12035aef2c7b10884ba339f0097d4315d8c37cccc056575000069f6b7efbff5b

SHA512
aed6bd83b0766cb41eddb3a52020e3a22390be72a99d14bf66fe631d51dcc55f54939bea2fd1f1cecba6eb5c7860524b4c370978bd6e4043744ebf5d28c5d583

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
2KB

MD5
31b512883c7dcd1765d715432d0abc70

SHA1
310e89c492d2eab5294c59653f5f98e82ffe38c5

SHA256
f3314851c20bd4ada8330c332861e324b4e505a5e456005c996d43261bf0afaa

SHA512
edf4cb5eb0e8bd4007ac5e813acac2f635597580fe4ab8ab3cec9fd48aa08cce70ebd197cc54b9486b2e1833c6bec08786f5d990abd2c591e90862e9d7f2f39e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
4KB

MD5
192dc9c140ea7954471bd2fc3e9402c1

SHA1
77a88f37a1e3f930b30152ffa3bd39c597c3edf7

SHA256
32d540ced6a6f4454bccb14bbe2015c8b45b88b1e5fb284ca849f17d4140cd32

SHA512
30bb935525e8815ffdab96acde3ac8622c93281668a3b726d880d102df2dddde2fb119832b68da10c7eb74c40cabb0f37e9f8b2db85d1bb08d03042baca91cc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
304B

MD5
7f7ababb1a894e81d197b65568ee59f7

SHA1
6c23c3ec2c0b2adc2b7b7b3c9bc046b09c5ce444

SHA256
25665526a6089c123cd693c9ee765702e758f4368e46cec94d618326ee3feb97

SHA512
cb92e7262fb46145cb498169ec7e6a2c25f04c508f5a9794a70a0e010745f7ca9f7ad1966761abe16285b3d42470853218d9e4605466ccbdb8750d0d9449b53d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
400B

MD5
25afc75d203232d88fb69027a589d04f

SHA1
f4e299f3588b3876d21f251d5b64a6dc2df53628

SHA256
c7c3c18fb0cde2ca846e67a6b4c33e77e6b87ef6dbcf84673a7908ccecc35ff0

SHA512
3df9795808171a59aac88fa2346dd91e4f6cad1248e27380e5a66ed75dc2c69c44456ae3626baecf980716c1fa185e92a6c1c0cf0f6c950037a09177d41211be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
1008B

MD5
cef9272f23835067d1a62b1d8cc35e58

SHA1
b0cea104861c83c12c90c23853b7734a7a424aa1

SHA256
b4e1a870d95ca4d6c2f7c0ac9faec06a9891c8435ad0bbf659ba08508a437935

SHA512
8e977234b8d58a3a4fa87a8449cbcc2f4cb32939b08dfe8571183386f8e482d9e6dffd990a5b9606e74597312f1acfdad231c5a8c38a52f72363b13069dbeb57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
1KB

MD5
524b1c33e3636ff35c3fac32ed63a5c5

SHA1
c6f79db05986298a3d8115c6e5d054caee291919

SHA256
9ce3b8b08d055e5b7fd4b264ec53b4209e6e77f79e0253d8206042363b5e50fa

SHA512
369880428dd0952c097c344b30725b4f79019ed78c2210e737e08ef22b42cbafd94b76072a5a304aa2a55d7c2c3e8dc8c30a81ab4109294394db970dae6f2400

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
2KB

MD5
0bfa0dedbfffbad8c694fd58b26e6b24

SHA1
3ec706be30a71dbd5594d7ec69647534d20e0f73

SHA256
856594a5b4593f9ca15dc6b99ae19a1f86a06f801407f7de182099151ce8d462

SHA512
ba4949ab3cae5dffd51988c7596c9a98c54357969e1e153433d4df0034fa326e6f385500a25dc4e287a83fde20aff097d3d26f682c72f3bf88d146c23341d20b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
848B

MD5
d136f934961541ef70536685bdda6d48

SHA1
b8314f3923c3afebd8fbe87eeefc196224badb29

SHA256
43fb5dc9b530c43c2b53096b4902ac16c0ed776e1fd6204d093127266f2e7258

SHA512
dabaa3c39a475b04c8aa8513e01092f7343b3bfe7c08fb41c1a7232ab54ed8e2dbfbb79caf1029db12b2f6b15125657ef1f3157fb2fda5e09a6144782d1de2b7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.C71F032DEC96286D958047E0E0E45F35435BBE6574769CCFBA5E5024D71DBAA6

Filesize
32KB

MD5
94ffbec08c669f908d66150064850fc9

SHA1
b8b4fddea407b4e180eed98fe20dc8b737660f90

SHA256
f4810639d8117b9966540079df4e4f29b8a4b5c7d78d532ae130b1faea38a916

SHA512
1e25a8490694aacee90081e6c1c13308629e1525eb8c56d962895a315fd9e74920857b836354dae41fa31fb50d9053815c8473bad3f2b21629ae8431a98b52ab

Download Submit
C:\ProgramData\mewAcAkM\BCsMokgw.exe

Filesize
196KB

MD5
3b424f4627746c07dfe97a168d58d6e3

SHA1
307dac44afefb2381d4bd47d92545e69dbea4a4b

SHA256
dc4675e788bee444f2a87b2b0ad1ca60381e0f277f3d30b8fc437dae6496d82a

SHA512
35a4195526b2f6534244dc19a5c32ff1fa0e5395b470f6211a99b9cc221b68fb8b518aed911a16882929920f74670627d5ffa771cf2085469c0b3a94106071d7

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
98bb667fc7d700c6b6144094a975d080

SHA1
ea1dfb79b1db7e3973a14a32085445fc21531386

SHA256
ff23a8c24c462246355cd95d7be8ec577adfa213f5394990f7312090cbc08224

SHA512
473c734953eff7ed5e371c5b6db90e4ddebd0c0ddc67da0b4196dd7bc61c683908dc2b0fc90b324190377e8ad52c67e35b2d5752ea0744f77f18ad77df34a8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b81940158ca4b2111ca1cb5b60a7f284

SHA1
7ae2ee713a52453c7ad445b610d7a10cda4b0245

SHA256
e2d0fcecda0d3e750014cb192ac52d08570304576ace1497beb85aa09aa39417

SHA512
95bcf46c4cdde710290b3f5fb8f7856d7c06b92ccbdcc8d814aba4e435de882450307903a323aec3bdab2bacc9adf27971aee8f64eb45020aa333a166ce0177a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
76bd58eb70b08275e05f9f05f990b019

SHA1
40a3b68059caeb73694a98fc01cac6c7f4a4809a

SHA256
7f197231189766bbab8d1313513c65dd7355a71f9f7b4dc963df114e4793251c

SHA512
4175d859a93053190696a4763370331ccb1b84e0a9f1caed6f1c572cda6ed07f9df24b8d4e789ca7110b44dec04c2ebd0a8750f274707448c156f944cc053cce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
29cc2a9321dda2d02ec542636e8e008c

SHA1
b9f16dd95d1477ccec6245ea8c1ac904caa12799

SHA256
42a4d150e16a302c768cc86655024724bccc88e26f0dbc6df17c35c244beab1e

SHA512
5cedc61ce6664be1d107715804a8509b1f741f19d270638336db03da00d70fbb025aad331b1c9ebc561caf0445a54ec2fada4d89a34621587319ee1aed227537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
07b5d149ebb8819d3182c051f17d69ac

SHA1
139ab74abdadb054df6ce2e830f993ea1da9ce48

SHA256
108b5da7c2cbc4d5e667615114450bf1730d027fb4514ba53c5f390e282a9e63

SHA512
a0f456746a0d2550603d0ab9ad0ba5696443ab2c92766865ff93fe4a555d831114d51eab54766e2bc0634f61e2d68dc5054aaf3d933a5449065e35d60b5c0342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
62635b7cbfa15063f1f00ac46ca49082

SHA1
bb9db0bf92e42d018a2914512d25113e15683db3

SHA256
ced7ec8f38450346d21a4e85eb04f1f9611933c1cd0afcc7f6047edf25bcae23

SHA512
c4e2892c10fb60628620bf00af2d708d74e6e0e0839e8eba95bf456aae3fc9f88be283f4320b3662d09c5ac2e9366bc381bb482a74578e7b934c751b01bafed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d511c92eb9f83ea16979510518ac0abb

SHA1
c8953ea9a68e2f26ede0500d6cd6226deed3a977

SHA256
568aaaadb1f29e87349783e221bf1dd91c44d2cee8c04189398876a1a598d5b8

SHA512
d5e39f781e18a84a9c5e36616405df6497b111ecd843c899bedc0ad0868f9f01dbf3dd36684d64d029416442f696f4c17e3e92e4e18821fb85c5f2f3ed6a8353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
322f41a67979fb17101436db6dfb1c69

SHA1
720a5c4560d442105915cec3bba70acaf5ff6de2

SHA256
1b3e71775b981b1efa29aa214329bfd779f16c4522b71ac72ad598a70861732a

SHA512
6e674b7fb49bd8d7c4cb609738f53bb5a500f4c52797f240fe414b8ae8a51161d977fa42fddd86869881d26fd1882c91b3fdeffafb50a9325be2e2eaf9100941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
380cdbb2dc3737a151aaf4b9246f5a17

SHA1
292f8c9c12f8f6e16ec3954f287803e8e560a2a9

SHA256
eb3ab6ef49a2a4e23438721a587406f23acf5de4d2ee115f33bc1e8a873fd76b

SHA512
5935292c8c0974908f68a3b92349a2906aa7fd29730d98dde4654747f9a3d5c444870b1924910682b5175218c3526d62ef3fc486ba373907adc62c858ba77ab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1ffe99771f3f0d4d1ee0870915922fa4

SHA1
91cee2c68879a3a7a875307b300e9dc812b6da52

SHA256
ae6d816f23e609fbdfec3f4debf0e4689cf555bb716adc533aa5380ba54acb0c

SHA512
156eed2ac0d80569717f1cac33779aeb9ff9c6a214dfca0f3dfe73ddc423884f4c5d5a95143bfbf2c931e3d3560de4ee8c16380d1853fb1d7dc54438786d5c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c0287e9e21edefead8bdca469dae9275

SHA1
537888dd05ac3b54a26fbc23deba094b65f59970

SHA256
8ade43ffcc778289c856add549e09ffd7fe4578402080de02430d95b4deb8375

SHA512
4a41ab770ce5eae0396580b25f1ef0523471249696cdaab70de83416c03dd1fe34f3ea91fb01430013df28e34812f68844f9a136317933c667fe659e1919d572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ff560558584b4755e8d56cca89aa8522

SHA1
75cfadb5f80d73a08121da6e386c22d4b2f99ec9

SHA256
b65a5e07ba9fa13b8df6d1f0f385a00a9e3783074d3d756315cf8b6c4166838c

SHA512
a031a5655bfc7d160cc2085e94d489a446246678becc808b5f143c4a1d5f2cf195cde960692784bd9a2834ebd57a38a46bc165f04601ae03dccfffd7746ffaad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1b142f10cbe9aa4c5f0e270c6c68a9fa

SHA1
8921d185cf6f9a6e19d9eae23494f9079b26722d

SHA256
3d79d73165bccb51ce50c99c2bc02889a6dae437aedb382c0f9a6e77a03a561e

SHA512
d2a5be70a34e21b370776718e68de9f7a2bc7870728313d11377e8241765ac8d52ad3fad8ccf210e542c07af82544ee609b715f03e5c14398230e48368513ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a6c756fa6426418cf99f4a619fe44f24

SHA1
dd9839e22010009a40746120582746017df80649

SHA256
b6b37fb921d9a528e49805f91d88f6487139e0e9baf2d1e4c35011279bd75a72

SHA512
0e8ded5f7a936a5fb802093df433f95475a0ac6307c223a120fc1fcbe88806b867f415c35a760f7e314a5c5a7e9344bca2a376e545fc8f77116c93f7d374a0bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eeda33db426751f91d036185377cccb2

SHA1
652f0358c33bab47f907de709eb1f0c45db02e8a

SHA256
68e7c51bd7028f678b6aa25fbe55464f2f5d0ce2a8df8ce6a83d2ae8d697b6f4

SHA512
058b70f5c6a44e8d6abb5dbe539ac850f442a4b5994f71e2121ac20ce797dba672c9b1405ea16524a2b5c92cd8b125cf349885581ad4b9878de249e714402886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3a25882b3829979402aefa5a8af9171a

SHA1
85f92ef26175b01d85cf5010d2c690d5beb0fa23

SHA256
99aa3a2a2fa6d639f6c2af8d57d267c9e82303b6c89ea7e880a9a3b17c1d77de

SHA512
8a2cb5ca2898ef3f2d38798825d93fda5751aefe77bb7af4dd384152be20731f9c83223ff79af96439e6e238633914ed430ca1ad92c17a31fdd7b91e9efddf92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8238ecdf76e67cf21c1d5c4941d51993

SHA1
4999136ad0752464502db793eaa76af042860d38

SHA256
661f3227abf9d5a75bbeefab1ea97e891008201465e471b7f545759fd09e7052

SHA512
bdbc65165004348fd11a521bd1337f886fd71fc9166138f9578d33ded0d563980f3dd4f47fe63f95b3aa9eaa6d7391a30f841f3038c7bad6c87beea32cb5ac31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0ec3c0908cd8a78ca3a0ed6f465e425a

SHA1
914bd85375993ae97e95c850f094d89873d1f777

SHA256
d439cf0d0c3f3eb7557b7fef0b32d4003c7b35c24ac37b261a368633bcb949cf

SHA512
a5fc1556237f043a205f57c10aefb3aab38f2abd317e43c56cd33a94e1baad277eb7168b092ebae4dbfafa0359d1231831f571860fead9e87da2992123ea54f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3403496ad59d9940a61d49a4a8a4a5b2

SHA1
9b1de7446bc5f5954d72aac0aad21eb28504d82a

SHA256
feb47097bb138dd9e20f1f4f310b7ded4e2c491aab45a5a3071ce1da520f0a92

SHA512
f64c0bfa32ce35efb9b207de1a9001864f1de58aef0a427f10f468d90de64598da66b08961178d35ca7aa8bf52a1861764e4c97d87a4584075af665fd8558a63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
09f36be4edfce1113a8bd13f60d32f13

SHA1
908f3dd306ff512a41714cf7a6e9f5a9c014ad02

SHA256
2fdba7595cd6e555a85307d9b20fd1056f3251ce9e37efb5b40a49195bacee72

SHA512
b0f4869a6226a4c8ae96e5bf4a7bac84b8ae6b6c758dc7c8711170250f655451adfb97aeac250bab5d24008eade663e08b3bdedff6f3a347e8583506b4abe7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1e7425e4b07716edb1c0be39409522b1

SHA1
cbb8a761de5a24384b451aafdfb39bf5987fad90

SHA256
91fa89ce447e25b2781f38158eb699deb3306e2f91cb0d83978ab1c315ff1a42

SHA512
769cc823d61cbd21ac61ca8f899fcfcce502d116f3ff121c5f217584cab102e674f7187b0c8757d26e8abab2c31e2555044b630572d72a0b719da3002e09e5f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
002aaa40a378683451519f02db95446d

SHA1
82108d896160a2391a4c10b275f4c8e520833201

SHA256
4c6818af46c3a7f62855243363906630bfc49891db6a742c1dcbfe332a7adda8

SHA512
6c7ae14d69e64352b9672180f80abda38f577b5368a942728e3711a67d5b00c9fae0e1e0c6de3c4bc8eab3058f34b7e82f9d89a99e3c2f73f67d27cef36f8638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d6fb9987b62a122be4906fa470d48ebe

SHA1
6c34e4d4ce5bb4362a85eefb618baaadaaede95b

SHA256
2cdfc673f446093cf4acb2f2ad81ebbe9240fe41f7beb0f2eae4b0c2663fd44e

SHA512
a957756ce1ccdaafeb24e81db8e57616876075429a3cef53ce30f6cdd442a0bffe6f4abfc6b255c26bbfacb000adb9e81f4ec0a1dd055202c6497e46c5f9c23c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
89b4ac53e2525d09606d25029b90fc76

SHA1
fb4e3638b35715267a40adada6644e37626c8eee

SHA256
97cfb83d54a48c04fd35aba71b9efbcc7d60ee74098204fc4791ef9373d969eb

SHA512
b01965ada269af815a78a34c2036eea0a9d8cf76756a721865bafa9c246d1cbe86e2e97ae93939f0c193c93133e11465c3fce69f57e04ddcba52013d06e4a14e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5023a8892872a15ec935ea684a64e83b

SHA1
456c2d2ffc7fd0801a4c18e2e7e53c148dfa2766

SHA256
90cc269795b94f4956ae0bc895ae5e4b83a0a2cfcb4f8962a09237830ff299e3

SHA512
664c7a49f788f1bf37f32531b14a40b0c589ef57f027ae97f5bd77c09ca46179ae06caabb7ad02bff03c8744e02c0974b99ee3aec3f79d3f041459e07f65e41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e78b3f63b8a14c0395c42aaeabdbd255

SHA1
19aeeced41899ef7627290b71cc56c9d371a5570

SHA256
559290b516dbdb867c1550d97c196ec2fd03955088e9305b7e298b77a3107ffe

SHA512
3aa102bb968ed39423c3740d4661e4669d73f168f8303c765fedafa614d49a7d4527df40fe5a7ac0eacd024af3d60f12b8b12442a9f3aa1b74f4e97c66ac3d66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae69fb5e133bc48e7cf0314049092ee6

SHA1
1e77441730a0ffacff4df41ae22046e46704425e

SHA256
97886b78a5822788c0add41b99a44ca1adbbd8ff0f714e64de63f91bdb1b155e

SHA512
4b811966c938db46d78447d9875d0a5fa2d5baa22340f66739e3f651c38591132ffcc3c80777fe7166b5f238c35f2d15529a8d07e9d7784a447113ec3973076a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dbef86597fda4ef80934a52820834196

SHA1
e953e8de6fcf8eaca859c45dccb0c9142d434de8

SHA256
bac5bbac9a6241b40b5df1f8aae0365a490e18b67ef751dcc8769d9c8d61e19b

SHA512
ed588697b1343a0c2be15ba1046298d0ff7dbc4dcf885197ccabdebf1944062fa7de3960c7683987085ba9a5cbedc78b381e6edfff53d8e0a12a91d8189964b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
de77d7d945d57a08a4f6639cdae03c09

SHA1
5045c033ad0f195c0671dc89858a4d47becd0b5f

SHA256
8aadec25a156e24762b9ccf609e57c557ed229f4e1237ce166e93fb15386ed92

SHA512
190dd3bc0223badbb48197661348953df4760ee5de1340f2d5830036271f78c2a17c509a964a10e59d42641c70788c526343b9bd5770b85dc822ebb44a2483bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7387f9364460f5bfc3bb18e267eeb638

SHA1
eb9ac8298ef22d49b6be6eabc91f3e04cc5c21a0

SHA256
201d36caeeece6a571537fda48558b17bf71cc88ccbff61faa97ec3ad1a09525

SHA512
e7941b569ef4e34fa65bc2adf32aacdb30909a7d7edad2dade60d2cd826e6fd70f05d173e99c96162263f5659db9c25dba058fce98720796daac0c6c5f47ebb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0040fda66b2ae65038e20e4e45af083f

SHA1
e68d66d9c158421265d10503e5996ae45498d2c6

SHA256
87ba3cda2a7ed7921a075cb7363c53cac0654610e0990b9ede48e5b8cfcd51b4

SHA512
206f4f4a55d163377c59809bb091e516aaa34fe196ab6312839592f6ba65dcb419fe20e461084f10c7d25e1319095b280351d8603c987ee507f7de51478bd54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17d079c21adfaba2709b5ab4ffe3d3c6

SHA1
d736a95da2130d84b836404c899c067545c5acbf

SHA256
5efe21c964d71cc1e1be55929c9abc08b9a9a3b2f84849680cad107f6b303182

SHA512
0d32989e0c758636164d0c8bfeb08c04de0c4a6fedce8091582cedf01705ba65f1a5c5eb200f18d24912419ba39fd6eada400e219b74025e575d58db81f13c72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
589dd2d6dc682c441ea4799f285a7f76

SHA1
3021702c53345df52d85d151b8f0c34cfa93adac

SHA256
5d50c4a78740f4eb5469fc68f357ba22ae2766cbd74e9555abb0deddc9ea48a5

SHA512
d14fed6759b91a774cc2ab14aaf4f64664a9d543d58bd691ae8b12f606f896aad4c82797a07a9272738643fdc1eef8e7c6b563eb64459e55e29787ee3bbcdcec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
35c3ea243d1b0aa4d7e67e3b0d00f3bb

SHA1
fe75c9ec03c9be0f9a7d3b42ec08f4d324c28da8

SHA256
de2c830e8b16eb385c20273c7425b374be13ff1d874eb9a766b5309a11b834b7

SHA512
81a7b6bb19a87c8231069ded0f6c054eb368f3e3c45e4ee12c0678292e5d5e973e1de3cc5e66463abfde7ece3db2810c670b4ba94156c5bcec33cfed28426141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fb33bce3859551ae3e47b6f216165fea

SHA1
8ff73780d244cefd09217a00c5aa8dc61c020129

SHA256
ce4274cd8e8506f68044db1b59555c7575bf63b9a2f4a5b2cccaba1dddf2f381

SHA512
79e6bed08d8e233890d11ad7d8805aacc4dc4b62e219dd34a3df41586cb852b7443c599998a5caf912390b75563ad24520686ecb61ee94a3e82fd7355c88cd1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20a20619742d5563a537cc533611053f

SHA1
cec87eb3b72498ab63b206fe2a2a9855a68e3357

SHA256
b03741abd1fa813f7dacfac3bb9764de9d4704f0bbe0ed3a1ce3d7f5a18ce33a

SHA512
bc4182e291e82386df17513da75401f2f8afa833e14eccb4b30d81b1a5a8438d7e6f960c3ca929746026a8ede417028d43a2827cd6a4046dbb57d89f03be48b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1823e826a966a90d193d93a529ce9a52

SHA1
3f0088a766397806e4a68448e207e82290e90704

SHA256
60b2ba36013d48be6cde27413f6786a68d601bf5616619837a52ad9db823f55e

SHA512
4881d354571df54bc22d4e3ed25e61de09d94346f11cfd4e3979c5748f62bab9bc26e9e8ecc321db0acbd5c589b4b0c82d9fc8261ac6bdaa2cfe1e0d37e20f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e70c9ee653df46cf16c43d95cf18e2d7

SHA1
8f2c68f72129a0bee8a543b6bd8f1b7afdd0cf09

SHA256
1e5cb97739f5b90b4643ee8b16d6d2fc3c74f8d9f31ebe96df1da5bf0e8c7fde

SHA512
e87085cd262725a954091a00e02985b7581b3542b4c7d86ee3f1504ac8d7afcfdad14f68a9b6838dfd75b582616a6ca31fc38faa66b78f5b3c48851d990c7b02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8ea608bfd12519f409c4749e7525d382

SHA1
895a0871a35a5d5a535651ea6794dccdbf2d6295

SHA256
905733770b9e92f4e3a012fadac673809318577fbdb282434c5284a5d956cfc3

SHA512
a142dcee2a409676da726e34e8bafc60e6f02681a2ea64981391cbefe7c4c19b8157bbf124a1bddbbcfca34d69ca2844d2c6aa505de35972fbcdffb92f874679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0f3f92d4c0c646da773275a2d73a70db

SHA1
1d7a551ed69eb35dc0ee2c07a64d2aa131a6d768

SHA256
2ce54084501566274ea37186e8df30a940a1cfc66b9703810b15a36519976651

SHA512
bb392cdb2a738c17b8998c0d0c1eda4193b921a8c3d22f54cc5af46dcb512b79612af9c024272b4b3707bb411d3720ac95055847c308617e9c9cad4bf5eb0084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b666cae830393186f003c1fa12194c91

SHA1
c1c15b6521385e43ccc66c13a45b601ef1f81aca

SHA256
ce74c8a0f16bf842907e95f8987759f662501542c3d1a3ad65c774f543bf2adf

SHA512
a1db13fdd54b0b05ba8f0d7ab089057a68c238b69b3e2921c589448ea38cfd720b89ce0143d7ade61eddbb53e7b3feee235eb225851c6c96342a13c5a1bdb9d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c8a07926ef7ecb2da97e85a5442f0128

SHA1
67da76e522555ba5a69286858faf7b834fb0efd3

SHA256
1584d5eed85798559d653df7db36c12e6cec2664ef1005095dc0aa086ec4a980

SHA512
658c6fba0b41edaff91e424cdf043486b275c1df4fb4c1d9ab6a7c657765d48bf19d1d69d93e14d96e3215b9cd411d72ba7702eaf9e17ccc016cc3acbcc676a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f2bb210ff31b95c5f29f78b38647472

SHA1
e7aa70dc9bbf93cbfbb9de95e2bd1c44fee0b598

SHA256
07ab5e67a4d6e97620a502d426345fd03e56d82e29d86856369adb28a40b92b9

SHA512
4e310125137d1c468ada1396573c17defbd521347527f7a4b0edcbadcac035e02e969b274438e438bedf9842c3eddac59f95cb3bd68c5d57da5286130195bbbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2906c7c7528dc81049a6096c35f17b0e

SHA1
376eae0471a8c9c54ddf083b725571a6f524c129

SHA256
e8a1c6719caa86224b58046aff07d9e80798f8568a8f7eb017155f6d5bac41c6

SHA512
8c3466d16b4e3692c4507d166526be6e23273b87610a64219bd06ee04a25bcce2dd9a205a9c2cff19529e7d8ecf5c6f6f2170cff9aa861465faf4535b23ea79e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
35692ccd57292314c03558bb0f4f5390

SHA1
14713d55fee2b69490db64c2f3f607397d97b7d5

SHA256
7a62336080a129ecccc7963ab7335f912dd8111113208fe71dd6626fa7434c04

SHA512
ef1ca9ab34bc7913b0d63165cd5db9ac33e6fa6a312f55d778e6059529347f60ea5c7897e8bb23446d5e2c98660146a6545d31c2a92746aafb7d01c31b2f6d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4004c169607c31bda2d4c0381c5d5d1a

SHA1
4c39bae1b4a3b424c82bcca43ba52635b9c1259e

SHA256
75efa81b65f2b97d58cf8b3b00bc7f8e0c0ad4ff77208caa470cca67b0e11fcc

SHA512
67655a5e14569d17f7479d6e3d22e071272c6737c0aea920a6b3482c70207522e130718bd7d438093817d65964bf9bb001136e2bf60d8260d8a8fdfad67dfd0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
067dd4e8772beb7097c847b843666c18

SHA1
0bc5a876a23103293df8dad7ee3c6716ebc19d4a

SHA256
7a3b9a4728875be74828b20899a58496ce769eed9034f78e84aef06aa8dbe505

SHA512
1db0e661e25654e01854883d5ee6788b28c0f4bdbbc6c11db61afb17b0620b69854bd97fa3cfd9d90f3c6788f8836cfe1cceae81e29c04f189efd21fa24d2307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
dab2b693f7bf4ddca71b495c657ff627

SHA1
b2598211a138258c1b1409810ddd5524cabad249

SHA256
5ab8cff1c0dec1898049ec81062d5569500494eab94f100c2c90cf367dc19a9f

SHA512
509ada333bd62136ddcc3f68007082ed057b49a4c3c6e41870b7ae6fe5f38c269cdf4190acca90c263c1e0b2f16b81fef80e57579596238cc762a6a49c49a7c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4ba069146840297a0abf81053b38f8b0

SHA1
a05f25e22f307526f7cff226c157c5b015167738

SHA256
763a77e7cfa1fe7aa69d117abcb962e272f6144f10bb35cce5fdde7b355e0961

SHA512
e9eace2f5f02678e784904f62083514be5cec3c41211c56fbd42ddc7ad3f474fa541d9d8e9d301236661882027e25c2b6b91267c18505d6e4c04c336a868d76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
201KB

MD5
70b3cbcf47abc294168338575e8d1a2d

SHA1
7a1545b4026c13024f0795cd6c26381248b5e71e

SHA256
93b114abd054964a54436f96d5b7e9cbcdbe73c0fe808ba58e41c879624b426c

SHA512
d6a83f67fb7072f455d4175f071aa2e9df754abeaac534568d026cc6edb0fa397fad3fe902aa94cf0471640f58a0ab360f1017b7f87bfbace3ec52220705af7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\faIMEUYA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\Downloads\AMoi.exe

Filesize
398KB

MD5
940689b2a3051d51457230ac70b9a62b

SHA1
6ce2e5729122f3433ec32ad08664cea2458fd97c

SHA256
576ef2c981abbc74e6e8798f308cd9501692361379aeb6a04598ebdfb3d6e809

SHA512
c8c441af84673211578946d74b1be5217ca1001bacd31b125704f2bffbbaa347136a9b3319d05209469d35c87e9da41e79be975616ce701ad63f47d4b3543f97

Download Submit
C:\Users\Admin\Downloads\AQEE.exe

Filesize
738KB

MD5
ee37dc5dec3bdc9366c60639b89852f4

SHA1
e395234d285e59175b80506ec5a17ec88e7d8742

SHA256
fc493e9012e01d9942b8d448dff0f2a08269904148787518ce7ec61bac59c06b

SHA512
acc2e6f2eb7048a831485468f35f0b9cda982e95c0ab3cf09aad27de980fd11b3653b81c0a0d456b7a60efb5b63ba351624a78a9f03fe51b07fa8bac7aad2bfa

Download Submit
C:\Users\Admin\Downloads\AUUs.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\AkYQ.exe

Filesize
198KB

MD5
bfee97ceb47b54a91607558cb4a1677d

SHA1
40b71feef09ee092506fefba3cd55b937f20e1a4

SHA256
329781f4d03f23c6a030407dcb5e6f54e661e557b03b0054f569a1a96924c1b5

SHA512
045a42875f2f1bfd5b3d1d14c49076818407a6dc241bf67da9e3a96988a86c425d52da0800c44a9176e78a7478a1cca55fa408a1c8fd58993770de0e815ce197

Download Submit
C:\Users\Admin\Downloads\AwwK.exe

Filesize
186KB

MD5
6ced65d3cff865b53aea2210595e348d

SHA1
6fdb7715d5486e7a70c78dfc055529e519005d59

SHA256
519304c2044735c15a47a6d0600025de2e1dd8d37131d4d46dd2fcebd1d19247

SHA512
006f75b1537296c7b12a2567d644c4470383452b7e8a85965c9e2bd71ffc831de3f5e8ee7acd62d10b6f4052467b606140119bf30eda5341ceee0d7cf45eb134

Download Submit
C:\Users\Admin\Downloads\BAkc.exe

Filesize
240KB

MD5
94550bdbee765157f10a356da4b55c48

SHA1
47b0b6f86ec1a80a7afab4e1e05078cdf3b93591

SHA256
269b392f464e2302cc774243b587b47e9569bbedb2035597b842ee15b26bdc26

SHA512
16f64d3aedab7d33cc4dbdf9a8dad9a6979ccd6254d67c3d29838a86b7718f51a8ab1456c4ef58089395ff69a1090b8904e4149b129b89c3e564b53102d4efac

Download Submit
C:\Users\Admin\Downloads\BQAM.exe

Filesize
188KB

MD5
97b20f7176688ee6e132a8bc361b32fa

SHA1
7706259ba2cfaabe312213f8f4c8e7900590a391

SHA256
55dc50a6d24139a0265b9d411fb375362eac78ae634af01abbdc319a62b6bfed

SHA512
e0ac7a5bba678dcfed441734f81fb89d45afd579485f980d2d55836c7768b3126e248055935cdcf2e38dcf511a2028dfdeea37a58a69a46803d0740ec8b317a9

Download Submit
C:\Users\Admin\Downloads\Cocw.exe

Filesize
320KB

MD5
a6d528c3f8aaad82737d30a079e53420

SHA1
085ba7ff625ed5809462d03607f6745a38d33529

SHA256
5af43bcf247d60660d96d4b10abeb91feabdf32d0508f9c5c2713c118517596d

SHA512
81c70054e3c865ed9d00ac495b397bf80fcba291257e6572e0e62117488fbbb43facd174221d4884617e4de38dcf4ba8eec4ebd234b68b7d0d3b1122c997d320

Download Submit
C:\Users\Admin\Downloads\CwQc.exe

Filesize
195KB

MD5
4564776fec00fa62c5fb915f1fa0428a

SHA1
2d1e813acd8176e5131794e6edc5cbd7e1e07ae8

SHA256
a39b352ee3d7e561038f2ece186748ed96e59081e7db1e048c82495a171a60b2

SHA512
f5e6de0627b26e993d5d3999fe1c6db6b3b01d2acba0fe10bb1435d1c1403283f22cbcbe214986035b9978d3a1e36f04e31e22cf07d7de46ac8263ec1adea669

Download Submit
C:\Users\Admin\Downloads\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\Downloads\EowQ.exe

Filesize
198KB

MD5
5409edeae4cfc7b45f4b5fb77e74714e

SHA1
b455d788cba935a50f7965d03217190c4fd30897

SHA256
0d4f9f4e361e548ff8c1b748c0aff78508796f6d809a7103e9a7dce668973177

SHA512
b5a38818f6be312dfddf512dfb74f45bbddaf13200ae4ef4969cb9c0b379e9a540d8e3e2d45e6f0c61d6a74d8bffa50a1dc0a21adcdca41180900221439ffc28

Download Submit
C:\Users\Admin\Downloads\EsIw.exe

Filesize
210KB

MD5
2434f48f120d324c070d88a909cd9122

SHA1
7ed4b4cb2a697058f094b02bb98401d74bf7bb9b

SHA256
59c4de14c9e40c1f107b72e0f09d83b0ed1c21d2c21253ba2c7e0dbe313a8526

SHA512
63f37d7a40d17fe53ac29ee37c5ba32e34671b7542064d65fd1583f490902ac7a4119a2e24740f544977080ba8969248895e7d05999bedd5fd96cfa376b43674

Download Submit
C:\Users\Admin\Downloads\EwUy.exe

Filesize
195KB

MD5
250b8dae96e2ff1249fddc0735994477

SHA1
508d6ce3f63875387293e11a3de6b9bd63e138dd

SHA256
ec225e2869079693cd4041552672d9d86853ea06663bbe38276c382d6d0f92f6

SHA512
3bbf340800290ff68a4ec8e33d6ba6f14db37de75c691621f7322c21355ec5802da5ed525101bb6b4d5deab661eb735621d61a3cf9e5772424257f846ea48ab1

Download Submit
C:\Users\Admin\Downloads\GUUA.exe

Filesize
782KB

MD5
9667f17379f5461d31e8cf7342010e7e

SHA1
3478be247aea2024b48b1a88f9269dc915ff20ee

SHA256
b06b9b9247600d1304d353603aa055497685989f2a2ddc487bc89ca75e8f46fc

SHA512
95532957483b52d0a4b8c84debcd49ab8a4c69d9ead20cac0eda62ff8e941fc522e9bf33a88036fef7264f44d39363527e178a624eebc338facf3b4b8be10da0

Download Submit
C:\Users\Admin\Downloads\GoIc.exe

Filesize
831KB

MD5
1223f603a36722c6362926ec620b84a8

SHA1
3e49a283bb1bd021a3d74d643d8259e50b163f8c

SHA256
1425a8edc5998a6f0ff6b23d01cb7a61b9af40e8a582ad224525b88280cd24b6

SHA512
326162b8850ef82669e26f5a9ed67261b23a45af5d9766b67a4592528f6240bcf16979b107a014b6f5ebc7188f80ff695a4c922883a4bcd67b8913cf66f8584d

Download Submit
C:\Users\Admin\Downloads\Hsww.exe

Filesize
188KB

MD5
f65d705e76f2be87aa766b04ca8f9355

SHA1
60816c0883d00251786cd641f8d5fe720ebe31d3

SHA256
fdcf990f874b6dec90acd141a6153d9f1507198b4ab412adf2d6575f6a0d02d5

SHA512
899f587e25a217adf870a448bf7866d6ff08318faeec940130bbab07d178027939d0f0a21bbb55778a2672a21fcfd3f8364a12064c9e2eb26290d6601e51df0e

Download Submit
C:\Users\Admin\Downloads\IMQK.exe

Filesize
214KB

MD5
ae54312c5183c424bdc3e83d5fd07474

SHA1
c446cefba7f5c5c16146cd07185e564457859095

SHA256
6fc07117568374085b20320863f3ab1a3b5fc722467336c4f03e8a65f3772ad6

SHA512
7dd8e533bfcc9e76199241160f5e7c4d72bc388990c80932605982d5db56e89ded0031475f97eee3366de567c5629e7b5c44a3ba479fefd8d7266f0b2fcb6999

Download Submit
C:\Users\Admin\Downloads\IUkK.exe

Filesize
768KB

MD5
f0fc093d55e35420362d1da53fd33565

SHA1
01de96c62be90343cad9b659b19120bee4814aaf

SHA256
7c35bf3573baaa8aa23f5cdbe4b850583687b420cba43d1b37d70d8f769354b1

SHA512
95854ca53417e7825dfe392cffc47811ac50d2c9fb107cc9b4c17a1454faaea709ae5dd6a1b0d2cf66cd995c1084a63c750bda3437f231e45bd0dfc55a951906

Download Submit
C:\Users\Admin\Downloads\IcMw.exe

Filesize
509KB

MD5
f5bf906cfec5330dc1fa5378b20d7087

SHA1
cde6081f1c84784c7c9f4fd09a54ae5356ae6409

SHA256
e1f07ab9d3e7b828b7cf2f4ff8104f8af2b92be4aa7313eb6fe595af3be28e41

SHA512
a94db4f35bcf2a7122947b8b0f7dec713ac5ce3c5812b7565b3ab39d9f8b87f848cca221e58c64bf66499602af11cdc8df4c32617f0932dfabb64bc4443c5c6d

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\IsYW.exe

Filesize
205KB

MD5
d4e5e803b0d87d730d7a9d2a1e590c1e

SHA1
530cf68600317db034ccacc459ba1e157d5e9e63

SHA256
9e4f0f4d368d45a18b797f5932e4c6b3671e0532b28d3157743f23e12d58664d

SHA512
03db3ac12d66f3c7e590ee3fe3a34d5d4abee9302cea3911175e829a7e7defab16f3f39685d7cbec749b4b888b2557afc17bae5e6629397d9c7bdacab9f0e162

Download Submit
C:\Users\Admin\Downloads\JUUg.exe

Filesize
207KB

MD5
3b73a0fb5a60fa27b5b3b7b20271ac79

SHA1
1017189af0b4a06ca400233ed195debcc463e328

SHA256
ebe54f16e80d60b4b3f86e448fc5f7fb2d09d51a4a076421d9ed596f96853108

SHA512
d2b0c04a9739769f53c2921c8c7b961ffc7acd227acbc7ca703787737886263c19116610ab2e238574cc7a7aff45ef731a936801965de187f2ea32a8a03793d9

Download Submit
C:\Users\Admin\Downloads\Jgoc.exe

Filesize
656KB

MD5
b76bb05fce3a2326aba06bdedfdf0a7c

SHA1
40a8b5eff79ea74a6b2a6ed5e931688effb8fcd3

SHA256
031a0744420454f7919542b023035e8f5c6a94a87f14665615cab7377a45bfff

SHA512
ef41a8387a1a276c12582a4cf44ef17e9e5196b92fa854a6262c9d8ac12877fb31a1b49c8ab6036c121d616843c2481cdce303c113ca619e5e0d30304898a1fe

Download Submit
C:\Users\Admin\Downloads\KMwm.exe

Filesize
205KB

MD5
a666a568da790b167cfaf8bb98fd9ca4

SHA1
aa5f45477a2e760347ed9093c8bfcbbffa6970fe

SHA256
cd56dec1c50ce8c98602bb78a32c7a50d18d4ba249c911cad4a63b34c834fed9

SHA512
6d76f17258a30960a58ec25720c7184ecdf75eb84e6876fa4052ff949d8eb15cbad1a4525816d98a61d9ee3a82e955f29e95ab0b9a373aa70ca937fe42fe07b5

Download Submit
C:\Users\Admin\Downloads\LEYQ.exe

Filesize
189KB

MD5
b439247ba105b79bd02c4b8a993f52ab

SHA1
33d552e313e01bcd2a475e7da7c69d43eccd45ae

SHA256
71362c3af4b3d5f732e21968b9875b0a507c3f93b17df10f0a26623e9c2155a0

SHA512
83a12a56fc29fd8670106d4f94a48ed3476938e040c49b13a4c365bb2cd586bc711f4920665decdfaf47e039e9d90f1795cddc3d4674160be4b78c00b4ed5e46

Download Submit
C:\Users\Admin\Downloads\LIYS.exe

Filesize
634KB

MD5
eec9a04194bc920c7bcfd07fa2a6d02f

SHA1
7f10ee482d0a52fde6eeb0e2ce6a82360069c33c

SHA256
0ca1ae7df533b63c1dd78bcc93db439d843f7c5af700f0b9adb1ad33512343ae

SHA512
d50760f27fa1ada0168d7198472a98bf61a9ed8c2c167434ae8a2d9481b9007d4f295c290a01b0123a063a4fcef4b679889cfca4546c4e7c086895a814ee57cd

Download Submit
C:\Users\Admin\Downloads\LQIO.exe

Filesize
183KB

MD5
28d150e45eb80486814f87c5913c361f

SHA1
32c5b5f85ab2cc254e399dc699ab9e64107bfb78

SHA256
5e5590872da8217b8a75c0afcec4900c476c96237f71aa5645509a4185f91e7e

SHA512
3bc8b7123d60437cdb410d0e8ff5257bde1d710d87c8a89584640ad36bedaa25ae98f965f264515ece3acedc147da373f0dde0c0f0a6c2aefb55524f9727e73b

Download Submit
C:\Users\Admin\Downloads\MAII.exe

Filesize
203KB

MD5
52efcc5841423318f235b58271533829

SHA1
0084adbbf972e5a933e6d49909e0757e7aaf1881

SHA256
9421cafb8f00a2c73b3196c62387d179ea719ef51b8d1680ee19355f97dc3772

SHA512
4b0d614f2a122b9fe90bd7d3da4437e0c19ed63c625f70fc75e57e5d7678bbe5eba74f9a561fb163ab2e3a5ac17661675978e66911b07cb85b46e643054c7106

Download Submit
C:\Users\Admin\Downloads\MQsw.exe

Filesize
197KB

MD5
67c67a4c2d4e4d453df55b49cd25f4a9

SHA1
d9d82fa9862e222efc8dd9f5290368c3e09f904f

SHA256
f60e9c608442877828a742d1278a8108170a54e91266e52f2ce9632394978773

SHA512
d6d815f27301cee7c2212b924f9afa5f9321d0e09057050f17de38209190a4a0175b3cabc84a9068d55d0896e7135ee88c86f1d237704903a1f9e43d21f7b7d2

Download Submit
C:\Users\Admin\Downloads\MwIO.exe

Filesize
203KB

MD5
3ee9a07700bd8fa3c13095d0020b6aa1

SHA1
da676736d127a6777c423dddbd33dce4ea57bf68

SHA256
9beb361b30d1ea13329e3d3fe16ba2bbd5ef665df19be6b7a8bd36e033f74a7a

SHA512
f701a6895686632a8da8b8fe082ee3ac923fd178828ae05f8776138bbc2a459e60f82598744a04efb028e1ef30c95f355b39e0056b0409b51200324574c9f82d

Download Submit
C:\Users\Admin\Downloads\MwMM.exe

Filesize
196KB

MD5
a23f4ce0b6ab8fd9831fc7bf2e93af90

SHA1
020808be82826a875ab658f1e52063a3a492f15e

SHA256
387e7b320c3d4124c8283c906358bc4685364aef0f982e88798f8efbed2527bd

SHA512
ca45fa4a56fd0f334ef5850c5af3a193fcb107413ae92739f0138d783e77fe1b5ca5b24a24d2da51ac43d73aef5b37d06a821639f6b8432ea8046bd2238463de

Download Submit
C:\Users\Admin\Downloads\Ngsm.exe

Filesize
227KB

MD5
8041f7e70617dc60aaf4ba6b3c95da1e

SHA1
2ed215caec6f482e95332728d419748addff6dad

SHA256
ddfb8381c2cff9f2bf78fe5b7054f0dbeac27e4eff2d15cd4389f270f5091c71

SHA512
8e10f0c3fe8a627d7b2b5ca4f24c5c52ddb27e31342a14791e8142cbc8d9a08b3cff15341d327765d4199a2db9b6b499bbd71b0259febd4cdd03dc396ff4b02d

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\OYMC.exe

Filesize
384KB

MD5
e2bc5cdf70cc597e7fd39b27b0e60339

SHA1
92f4c0f44aae7707a167434022d173799a7b6591

SHA256
38caa60bb4cd0d8fecb57de7bd4f6949ddbd4b5d976a14b56c087099e223550f

SHA512
898e2c9d67a85f8adc197535a4769261ee2658904f6461e20aa00dbf4654beb0eb470d5943818f19192bd9a8ecd62950b93857e63b2ea833b279ab3788eb4f71

Download Submit
C:\Users\Admin\Downloads\OkYw.exe

Filesize
419KB

MD5
5b98e5d385145fdae666d96ee00774ac

SHA1
d7512942ee3359a1f4bb87f9dfa65b075b81514f

SHA256
9e69836d850e5b8eb65777b405286970976328fc09abb08445cc91630a79d3f8

SHA512
cf6286fb5a2332f9cadeea7b86ffdf171856def0e51bdec15f32db4e3cbb42e1203379b507e5c93797a16ea289d60a96bf5d72e96e28f91e27388b951bb63034

Download Submit
C:\Users\Admin\Downloads\PQsa.exe

Filesize
1.1MB

MD5
aba0b5fe1d132487a62b00dfceb64998

SHA1
86921d1397341d8d30fa575a08d7e51ccf704894

SHA256
0d70ff8cf53bf88d4ce3e49b8eb1137984c375725dacc1bc6d3fbea51be390a8

SHA512
45dd098dafdc46d654a760d66fe500b034ec4bc0598c7edd0f286f48d2f48a063ca026945ebaefd91ee9de3e3d62bb0058dc4833db72196d01c7a781a2754a50

Download Submit
C:\Users\Admin\Downloads\PYsc.exe

Filesize
640KB

MD5
bac1baed23a4dfa71a53f642a4be31e5

SHA1
c43c846e6316b9b59df78794a212833be42a0223

SHA256
4d29542db300d9016ba945c5aa0b994b8bbf894967da2b69bf6c5fcea38edd7a

SHA512
3827f42959755b87958aa74153183efaf5d8298540a41ecdd01d4c9e1b0e5b8c33bf22de124452a0b2fa60feaf06d7c02988e99ad7d9883ca2a5cd48e743b332

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\PolyRansom.exe

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\QIYs.exe

Filesize
650KB

MD5
094d2f1d9219127226ed855d473c3897

SHA1
e2124f66a6e442467d35d9d52b002821f2ffc189

SHA256
de500923b65ed89a7b5802576bf33bae620d966e96c5bbf4fa7ca0d107bdc882

SHA512
7419e60cf0a4c608a678dd0f4f476c3c8bc43878d2aa6afcc7af489cafb4b9dc8ed9cb3122b96955d3c80e208269231ddd3a9f50b50f93accd5f3df22268677d

Download Submit
C:\Users\Admin\Downloads\QcEA.exe

Filesize
184KB

MD5
2ddf77af44d2bf2dec79cef8676e7731

SHA1
3430cf4f44990b259297d55fc0bb6e704381cd92

SHA256
d22d4a2efe541dbdb913bd1470553068c5475bcf47133eb9e50dccfc5b42d1e1

SHA512
34ca6e3d044f4cf25c1475f84958313f66f2da629453cebfa264fa92f83baa53fb0b454f4ddf88875a80f9752d6ecc39e36473c1e77ce89d68c7474fe826e1e6

Download Submit
C:\Users\Admin\Downloads\REMY.exe

Filesize
191KB

MD5
1666602a2ee9a01eee0506fbd3d62fa7

SHA1
aeb70de670a43f656434010edb1229771e301101

SHA256
5e24ada3419efcc150c978557d2733668aa5f9d262838570292cfe8a1ee3929d

SHA512
bded56dce17c11e6dd03ff610ec933dc1d36fa9d66de9432178491ff73db80eee5ffc8caaa8bfda81b2bb24877dc14f95cd45403600f42b409d72bcc13413ca9

Download Submit
C:\Users\Admin\Downloads\RMww.exe

Filesize
889KB

MD5
772a964d8b400f2bb08ef20d13032bbd

SHA1
e43076789cabee63c2c405bbe7cd170f53344c85

SHA256
005cc6fe849f28b2a64a12981b9ed3a907360fb74baf70b7ad83022bc92770c7

SHA512
0a5d68a38cda9e1d6c2b0e0c09baa21358634eba6363f5ee4f129c57fc106d2c07fa8623f5ab3655f825171791ba14fd339461164734f28b7cbd24f45f2f3016

Download Submit
C:\Users\Admin\Downloads\RwMG.exe

Filesize
233KB

MD5
55fd728d1c0a4046bac6c1eea1ca57c7

SHA1
0e4dc8185a4009e630cf78d36f0b7e11a9fc8088

SHA256
4fec1896a1791d66c6919ef5d51ea289dbfda1da26f87d1c07672684dd9aeba2

SHA512
d755dadb8cf24728f147c179c0be1bad629f741affb9cbb851d3aec8b8ed0a07f61dffc21fc6422ed71247cc5b66db257785e24b8912c6feb69a89c75d83b5b8

Download Submit
C:\Users\Admin\Downloads\SQgU.exe

Filesize
190KB

MD5
53e1257f588024c0ca532e490879786a

SHA1
f92a1886784372232d8866d1bbbe9765eb2398b8

SHA256
94f319b95f596ec7c32747bd06a6512b4b5721d0156f4ab9eecc303809831c1a

SHA512
c83fd84d98e30d7cb89d85c4e8295123f13f0e29144708bd22ed62f4bd5a6e049691901f25ac98f1aefeb4f9c487b17ced295fca790342fab40a6973b363eb29

Download Submit
C:\Users\Admin\Downloads\TAMO.exe

Filesize
1.3MB

MD5
47b5ab2be904dabbe0bf20f758d7b4d1

SHA1
ee26aa6044be63e0fd08c770b063ff87e6bb8f5f

SHA256
50b7558c934b044d74536d547e6d9cf02ba29e41e57fb3d87214cb993e480c39

SHA512
6f77c75e8cc5be7227e615d4766180c857296856ecafa9915a05773965ac1c9129f2b343b814f82ebf2e1f88c4aa396ff26aec5cfb40de721cf944390c1f0815

Download Submit
C:\Users\Admin\Downloads\UwgG.exe

Filesize
1.5MB

MD5
f7ca2cbb0c7668e9e55a90b4ae13ac52

SHA1
b0e42179ade1db9d4373c3b555de46fc0e7db240

SHA256
af56fe4e895d16e07c396a6913926a0dc3215434587b678d5973ed30aab236a7

SHA512
cba55bbff0ec93374da9fde579f20f5a76700c10ec611dd8220191554a734b17455b2b1578b629bad4e0cae608442b4c27658ff8c18189f783c24ae7f87a8463

Download Submit
C:\Users\Admin\Downloads\VMgA.exe

Filesize
221KB

MD5
d14faa090c6f64b34e5d357f312377b2

SHA1
be3f7ff789ba342a5d7ba9ad174b0f81d2beaaeb

SHA256
138eac04ca7da3aa2ce6a19c4b507de66e9e0edccd60f8e89d15669e5795a693

SHA512
4ff3ba72a3ed06c951bfedf34e6d5d79d050f31d529b729d1651f8d8fd46f9cdd1408bd7b460eafa91563703942916e16558cb8a4934fc27c64d71b1bb738a36

Download Submit
C:\Users\Admin\Downloads\VgQu.exe

Filesize
388KB

MD5
4be0fc8d5f42254d193b41ff066aad16

SHA1
b2233924aea23d992c69938756ce80dfbd604474

SHA256
87661aaec747453b10350a9a87b2a167269766ac67053c5afd4044e56eab39de

SHA512
1d024a50b6c15b18ebf877c321e945a886d7109ba5c3a5076abdce2f2f994e2594c889e7c5bacfcd295e74d837f423da09612b16820d6eae35130230ca209331

Download Submit
C:\Users\Admin\Downloads\WYsS.exe

Filesize
1.0MB

MD5
37d2ff5570f3ea126cbafcf9f793b9aa

SHA1
891e3c06ee8228fa73eb6ba24406b833646bf383

SHA256
b5b80924df4aef3a7af9a375c9fa7e8b3c137ed2a0fa2dedbc2e0eab24e7fd2f

SHA512
73d7f591fd834036f40c6aeae00b21bb7f95d9d1bc5bdc9e0762547709b1e213908be439690387776befe9fce0a5dd61edb9825b85a1884ce1fc2176d07f7a4c

Download Submit
C:\Users\Admin\Downloads\Wwom.exe

Filesize
556KB

MD5
5507628c52b47bbd991af7834b0dac06

SHA1
a20fa1e09cddb82ab490715854397562f333a5ce

SHA256
33fa0e2476f0c0bd8f67bb89f4abe6893ea121e0a879e348dc95b9553b400b44

SHA512
cf1a7b215afaa364a8e2cae561652e5e06ddb297e72017538fc9dbf38e2f52cc7ffc5ea82f01c0910fcea1f26a8d6dfeb9305473564bd574d709c962765f4c90

Download Submit
C:\Users\Admin\Downloads\XkMA.exe

Filesize
207KB

MD5
8ee77aef94c581eac7b0cb8ec8f97b09

SHA1
9456cb522696d0f750eae20c428afc99c4d42b89

SHA256
479c6d9bb9e83e9adac65ca177745d99e90866fd954499657dba6cf3a2fa6046

SHA512
f66e079e67962d1a6e5642e026e8a0236c045bd7f9679f67d22a0140314cd298df59fe35ee82b1d04a9636592d5fa213a2c749279a434822e41b6a778045c382

Download Submit
C:\Users\Admin\Downloads\YYEy.exe

Filesize
184KB

MD5
41c227a2d50891153f49900eba2d354c

SHA1
0f502b397b619df818741cb09f8bf31f9fe27c07

SHA256
df235d64b2813ba52563833d19e5a4894ddb293cec034838b258f30840cd45d9

SHA512
90bd6d3426e04dcce2276866acc2247632609079879c53417424d2226ed7d822715853b519c38d11599f0bc733c26d7d6ad5bbef84593f0a88816d35d771c7a7

Download Submit
C:\Users\Admin\Downloads\Ywkq.exe

Filesize
191KB

MD5
b185b30948bffa279efd43418efd4793

SHA1
bbe19ef588a6599509c579f0dbe39040b44843b6

SHA256
f0c4b1ee344d56f69987cc501aa85963ad1ed0232333b63d4494fa41025ee612

SHA512
dfa28c4f631a37ffda9251c7d94bfb833efba46c47596226af9cce2426b025f55a03d336023f1f253612de132b8e3836e3ea803ccd21f9e4bbfb0a95b1441a8a

Download Submit
C:\Users\Admin\Downloads\ZIIC.exe

Filesize
794KB

MD5
4204d5bce9e85cb258f03d78d064c0a6

SHA1
c1555b1cfdaed3c9ca9c6eb9e5f1463498475a61

SHA256
5f8c4c4488be4f97abafa3ac26718de1a985a6470da018ab803e8093d935d4cc

SHA512
4c734befba1b729cd8ddc633b4aee1f0560210c9e72bcfa71df6753ee1be47cb2497c314eca83a473eebb8ef0793aec6128365bb1c9920efb919f3420ec7df1b

Download Submit
C:\Users\Admin\Downloads\ZwkG.exe

Filesize
199KB

MD5
ca1b9de0e975620d1a1caa90491c95cb

SHA1
0394e94b43af1985990fbc1bc0d7ee8b8d5b8c57

SHA256
8dae92247454266e9ad8083c8c461f2c8030b08fcd49689d91c5b14253723cef

SHA512
5873e819771bf43557e43f32108b45e3c7b10461a0083954b2595019267766454e516f9e30bf00df21f229df34001ec77e8042829054c0a7fc05d02184a64d74

Download Submit
C:\Users\Admin\Downloads\aMEU.exe

Filesize
191KB

MD5
9367f735cc4715a3dba37c5e461230ba

SHA1
8cb36ad33cb9a849d836c9526d6d19426fad11b2

SHA256
74dc7d5c615e601876dd2bd527d6ab1f6e954f236651f0937bd57b1b7c00af0a

SHA512
ec7a0a866c253beedf7fc17d3fb3bda27be915f169fe6366eb1bf1156a3128a2353d98266ca1d5eac331902ff228e409d8d139e59e332b3698e86ff403d7fc48

Download Submit
C:\Users\Admin\Downloads\awEs.exe

Filesize
319KB

MD5
2d0968a5eb99ab964efbab1006ddf2c5

SHA1
b7806e3e374153af62adcd7b528c7890eaf0bbf9

SHA256
1ce78cb7765ba96c5f4654a8bb2a6bc4197f07630d848d91d3954f8018a25880

SHA512
061a2f9b39329ca2de07da3acebe6ac6e5460add82b2c91876f6c1d11205d51c7a333cf2a65fb0dbfbbb22894b5e1286678f4ecdfca1bbc5a959287b1c27dfc0

Download Submit
C:\Users\Admin\Downloads\bEoQ.exe

Filesize
791KB

MD5
9af8444aa1ac82ae305ccaa35260da8f

SHA1
39d29d9938a98b09810082928514d53e2191e362

SHA256
83ee7136a96604848dfa620998c13e1c66354cc7d6e69c12c556e7467983d6bc

SHA512
bd69e087d3106841172c0048b4f85cb2ecefd7995dd1374ffe2b99de5dd0d274090d4f07c0a6b7c1850edcbd513e8e8cd8517ad986eebe3cb2b39ba138e21dc8

Download Submit
C:\Users\Admin\Downloads\bEoW.exe

Filesize
1.3MB

MD5
f8c5b75fc490a4e736054edca78a5531

SHA1
05e792c5a9b66dec2a8e1359f1e4d7d3c63142e2

SHA256
b6f5e561a1544a39345e76a24316f2ddac9b0fa37947538c563683d3b73d17cb

SHA512
de63c9fbd40f90e1b0a9cb1ae50fcc276cb6f2a453b793c53933f894b8eba1d58ad2dc9ec42931796578960ca18831474659816c34bf473fc934e0bd9087b901

Download Submit
C:\Users\Admin\Downloads\bEww.exe

Filesize
1.4MB

MD5
7dffe25fc2900be17253230a441c4ef2

SHA1
27d4b53e6a04489c8044d3225b823d8af6b26c5b

SHA256
24253ac93ba644673fe68b9c4d80b7ba1dffdd86d41b8eeb240c06f7bb6f6710

SHA512
17df419d9b1b83e49305dd51261977973a1042bad23c25d44297ba446930c3ebaa3c4e4bd1f79fa1b827900aa27c1005e042dd3c4a49cb53f1c1cba0b1db4ebc

Download Submit
C:\Users\Admin\Downloads\bIsg.exe

Filesize
600KB

MD5
94b35d06f9d171f500628217ec707d8c

SHA1
82089f464a5a5872b76ab9baca5cadaaaf3702a7

SHA256
8b9e92f3c34d76da1637fe501227378595f2f0c3931cf67b09ba35e6b0bd3ea0

SHA512
4cf6f94afb18d5a86c563ffe50a371192a54f4c6db861e8be99d1c1c05e6b1284f13e92028420ff247d70918ad9f8545b71d197ab8ceede7325d0645e8d6534b

Download Submit
C:\Users\Admin\Downloads\bccM.exe

Filesize
186KB

MD5
fccfbf17b7287a8d7da4564b467749e1

SHA1
408e19cbfe2c0b15ae328f5f44b0cfea4b2f3026

SHA256
a937f635d93e04825f84d79989ef3b3387819487b6fc7b734498db1a2d15636b

SHA512
8dd1b3113f729874a24154b47032d9a700cda3db20fc93c3cf8d6deeff18ad855b0b7acc692e782760dcfa579df17feca80938d6431efe6c6363b7418ed68a60

Download Submit
C:\Users\Admin\Downloads\cEsI.exe

Filesize
322KB

MD5
df5380ff935706c67f204428e88ea252

SHA1
87f439761cd6c1366dc162bf8336c5701115908f

SHA256
5153fd351800ce392fc59cf6fcf548ecfe31fbaf5b952d288d680c7603c8fad7

SHA512
a191396a2eacaa67b5621ac794b47e40d02c665b3126b28b8d9c2f712cc6b1eaeece5f14ecbce226b1111d4b5e13d15982fd401c55e587396da7555111ea160a

Download Submit
C:\Users\Admin\Downloads\cMIK.exe

Filesize
224KB

MD5
fb18c42b9a770b3af83978fe6369d731

SHA1
a64f25669f75d7f11918b67b54952848a41e5b04

SHA256
8b17bf864db216f2347053c679688633498c7db60a211a089c45c276c3734be8

SHA512
f99005ce913875a37c4f42abb59158e0aadaba802f06597d9659f64019db5fd58933d9d5601e11e73bfb525e2317a9594de4364724010e17ff9faa4623e6932d

Download Submit
C:\Users\Admin\Downloads\dIIO.exe

Filesize
403KB

MD5
e74b4755cad59672c996d81b83e8a31a

SHA1
0a95fc7e877e7a6761f3cb00134a9ca670cf4b24

SHA256
d4bcfe14932aaa35ab3448cc6854189fe82659a8340163fec506a8c736477db7

SHA512
aaacc8ddb98fc7cb1e10fec389990af42ec57e4a749b5e50a0d30f3d2fbd277b58af0af873641e6ff78605a44cc4776ea5d27d36de3313f531b0a9b5e6f767ca

Download Submit
C:\Users\Admin\Downloads\dMsi.exe

Filesize
194KB

MD5
eb9f46c9246c146e2e8d726cc0a7ca7c

SHA1
35bfedabfd481629a28fadf5f6a759f6f914d8e1

SHA256
41444c0602952ec60331a6ff6208fde451b856bdd2b53815e3a28e0e12dda060

SHA512
3c97e589ffee8b66c25985254eb933b8cfe8ca5ba9d7a89ea7833ba84fa002f5b2cd9ea06ef03e6e0913648853d6a842da9c439910a18010663a9a27ea7d2255

Download Submit
C:\Users\Admin\Downloads\docs.exe

Filesize
206KB

MD5
7bf959918399ae59e7cb7081d8933669

SHA1
b3b54370b3cb328996d6b098897bfd5e416053d6

SHA256
c18ebb5fc1043c89a4f149f0681fd214f16c94df534dad5ccffe8ee8965d533c

SHA512
9d599531b6d313d4e485e4570feecafe48bcd5d790d71e999c7ba10991d34b7e1c27af689d718fc4beaaade12092f8a504fa93f652643ce6f9049aa631a7491e

Download Submit
C:\Users\Admin\Downloads\eMoE.exe

Filesize
624KB

MD5
02fca3364cb58d7fbe917d20a6e44d1b

SHA1
a9cd1edb83f27a0177847d33091ec9f3d34e4398

SHA256
da0a0340a2b6a21ad1cc03fd71d6c9c17ce26b59f5059cb88831f3c157ca6fbc

SHA512
bf4b823504185e86249fdf0af142c83549672be28b79d6abb0197fa7ba9641890d5608ab0b9c28d8249416af8d81afcd8df4e2ab8a67da83dbc05ebaf1c3f941

Download Submit
C:\Users\Admin\Downloads\ekUo.exe

Filesize
198KB

MD5
4c3a770bc55a677259cf55d1e9039730

SHA1
cf6886222bedd2a5b68d1592730becb2b71fc1cb

SHA256
4f83f6c7ae67e017537fe0577d06cf5d3c0864d8d666843fc65de37116d871aa

SHA512
d2a93848a3be8fd79ff491c1c6d798b221eef6cdd9e64967313a387d14ab841da71c47065b573a4d101aeb4baeb06f36c7c5f5a96fe1d22d02771c1383bc381f

Download Submit
C:\Users\Admin\Downloads\fgwU.exe

Filesize
204KB

MD5
9a5f144890807258fcd94abe8d607f2d

SHA1
61915e3b4626d75eef7dc3ee7bb1fb17b1d12913

SHA256
bedfede6671960f0687d6adb77df53d41631df28c56629332323420ae6a38ed0

SHA512
0a37c418b188dbdf40830be12b297db772f78ba18f7035fd05581a4ad67ed4caa5b7101edb0f7e528aea65de81d73f08f0667e284cc0003ae6ba22d28b1b26a6

Download Submit
C:\Users\Admin\Downloads\gccw.exe

Filesize
194KB

MD5
6a231256e49db9a46ce20680d9619c6c

SHA1
a24e164236a47fe404b5e7f22bab2f51939c8685

SHA256
5fc10ba10578b2fff48bc819a533336fc5d4c2a85f2487c759a414f2dde65b01

SHA512
4800ab322605d3eb2bc8f857a2c8243bc1456b14dcbb5a9d19acbc50ee377e99af3fcfd0bb8feb18234e387b5733d5aa2eee5ed44cfb121c5008c285e711f1fb

Download Submit
C:\Users\Admin\Downloads\hMws.exe

Filesize
202KB

MD5
5183a2f1cef2a406e412d29b9154ebba

SHA1
0a5eecf74944964ab884485312eebb0c601223aa

SHA256
18b66785b1763d53052eb71b29fecbad826b8b9a53336025b212e14b084aa372

SHA512
19e4a3387e44f2fcaf525e39f7503d56ea5111eb0d29cfc100bc973071ef904a9988bc59049c007a4e6e677e82c3a3ca31c7a2d529c1e66996bffd43f8579c67

Download Submit
C:\Users\Admin\Downloads\iIIY.exe

Filesize
198KB

MD5
63a071baf7456a3aa6c73185b3730ea5

SHA1
e4252c000e94345f5a6fc435c57e18fb1a8edfda

SHA256
52e486f0f55e64c376eedd6d167c4616b49d3789a2de6b37d31a00c32a57e487

SHA512
3086279ccb09cd807c97fc2642db97c0ceff1c65abab5a1f7dd71d327bb42a5edb828ce327f951ace210360b0373a2464abc087f73582ee564100ac6c1af3f24

Download Submit
C:\Users\Admin\Downloads\iIQY.exe

Filesize
219KB

MD5
e610f4249a5e6d056d38453dd5ab1a46

SHA1
e70f16a3467fb55bf9ffa5ea036cc2029b8605b2

SHA256
5ad3b28437a7ce9fe4272787305480be3be2f8af0c560b605550770414b2cafd

SHA512
cea3649a9cffadb7464106527e01b58a67d60bba8ab0b93ee72558c4253019813e4fc0010b35d1be3a2634d454dc43102c01f0a8299eda006f9f1c8638f0b3bf

Download Submit
C:\Users\Admin\Downloads\icEm.exe

Filesize
184KB

MD5
f4bad422acc1508fa14f67f36736b2f1

SHA1
fd7205609ff6f34d4e9d95e006353fb9894cd100

SHA256
c60bef3e4e99225d05c9af0f26432c2e0bd75bf9b9b4974ddd229d1cd69d5423

SHA512
435acde0560e46742151327cfd1f86dc7af8787b2d175a5758ad8fdf193a078039f21d66139e60a59bc1cc83af7c75fb360d3145b7c0f3476c0bf50c4cfe71ba

Download Submit
C:\Users\Admin\Downloads\icYA.exe

Filesize
197KB

MD5
4458fab01514d4661191a225aa431b93

SHA1
046003602dfe31322e279ea5ac18a18c4a2e6728

SHA256
85d574cd33c888091aed94f7469a0399add56f8c074cfc1aba9d4bfdc6d1bb0c

SHA512
8277c40075b44da957c765b419c62b94b342f14fe77abaff43654f8f6da045198dd205ec40e6435eed14711b56cd80dd45cfdc3a865993ee2e0e9b776bf4c4a4

Download Submit
C:\Users\Admin\Downloads\igsO.exe

Filesize
193KB

MD5
9cabf29c78e22b38ff1f91f3f35bb1e0

SHA1
581ed67d12aba9baed385dd125a9ff7d0305fd98

SHA256
a6a05eb9f49a9918fd5807cd65f5dd6ca0cdde22a79488d545eccad116a2ba81

SHA512
658b6c5dc1a77aeb409428ba22342a7e8c1e1710d1ad40e7aec59399ab5850b6e90073eee2ccc66d4804d095a98708393d89924982b23cbb368b9ea96fc27776

Download Submit
C:\Users\Admin\Downloads\jEga.exe

Filesize
311KB

MD5
cca2918fedf2d5f23b2466cc3fffb9a9

SHA1
ebfdbd962d135a729bc75421015ceef5d94229e7

SHA256
5c556d6ea629829412146250c87d9f57c7001c922ee85a33cea6ec7419884f1d

SHA512
186fccd2bd537badc7f78cc7335a451642b622758b033e0f3856c21ede480c635659de6846b3aeaba6161ef56891d6de2a79c0ea0b0e5a79440653c116ebdc84

Download Submit
C:\Users\Admin\Downloads\kIEu.exe

Filesize
198KB

MD5
4776bd921fc73feb297ab1931d8cc59b

SHA1
cdd96bed6bafdd70cb0a3ee046991aa6a3c4ad89

SHA256
41ab67db63c883eee24451843bc6694d21ebdc869f63e2e9c2f4bdb9c443f161

SHA512
8752fa7ddb84bcc0ef37eabf27318fea61a9f97c12812c631d1b154a517b690eb3d7ecdd3beed64f0619ffd87f05a2155f99216b2e81ee11b6d0582677c7dd5e

Download Submit
C:\Users\Admin\Downloads\koMe.exe

Filesize
181KB

MD5
33a449dae07f83257ecbf5ed986a2858

SHA1
93efd5e323ce99f4d707a3ac87370720e957c616

SHA256
1eed41ee44411c0f44f68554bdd1395b00e20edec0f9c4a2d2e923c3b7f4e300

SHA512
5da0213b23729cf8700cd50b63981ad038bf42d9f08fd093079311918c929bb126fbc4b997ec8c46a73b5807b4617723d1725bca4c4df386a5c13f7476b6a81b

Download Submit
C:\Users\Admin\Downloads\kwEw.exe

Filesize
205KB

MD5
e292f66c98cda396da0fb583e5514098

SHA1
18f749da3c861bec199c6643e216118232a223d2

SHA256
c357e5135a282412a74f8ac9782b2241ead31e32de3b40be63e558810bbaf1c1

SHA512
46d6e2a362ca4b848dbb0df4c7caf0d216aad430721ae5bcbb2065f2aaa3f8a7fbd4e2dd303763a773e9bc333fdac5ba1d916108a3bb82cbd064b4bc0c53c14c

Download Submit
C:\Users\Admin\Downloads\lkcu.exe

Filesize
1.5MB

MD5
a854f9c219826befe896932fa9e01205

SHA1
088f1b8fe4bcbffd8da0c9eb6d3b7aab15d070ff

SHA256
a3bfa06d1c514dcad1a7a6070d5405b465ab3fa65785e4bef6bc50168a272f87

SHA512
c4a1a0ca3b33dbd6e607a2013ea02b12bd58b63b95b26cacb33e8ddf90d2bbc6c84d7f0c19c72067cde98c573eabffd7f887b6311beddff58c16a60254c9a040

Download Submit
C:\Users\Admin\Downloads\lswk.exe

Filesize
197KB

MD5
5e3b478a461c894d65d093f96aae88ec

SHA1
6df1ec0f6ab68d92a341d0a91ba15faa2f417122

SHA256
45764600ba2f84e93c8e2b8e130974424e195ce5a5a65ce8ec4e20a8ddb073bd

SHA512
f6d3cabed7aa5a0892edcdcdadc736093a817cf597785e4d8a4b93b6fa5491f4bbaab4211d5227f819ed1d4c4d3ed7b1af2d35c145536705782e2b448aa1ebb4

Download Submit
C:\Users\Admin\Downloads\mAAW.exe

Filesize
216KB

MD5
2aa6d2a6c370cb7f62cd195a185b4d11

SHA1
478a3bb90ecd12bf48febf4093d27d59ca2f11df

SHA256
d7f3cf0ed9f51ca659161ffdee3714a65c56bebdcc0291bb447774117d948131

SHA512
4d3b5ad7dc2851f38764c435014d4698a15b55bd59a27fd9a580108e61255b3f2d364ca04ef5f6bd1db4a87b07b79a1a9bb4a7b75b0fb49fdacf35ee0cc1e0d6

Download Submit
C:\Users\Admin\Downloads\mAAY.exe

Filesize
183KB

MD5
e2c18cf9b0f3893e3e203742c6d740be

SHA1
0d24683417aa5748d66b70bada967ab1de868a9d

SHA256
adf66ee2870121503be04b523648dd91e66e5106f416afdcbc7354c2efef53c4

SHA512
6641b7f0ed58b716374503d7156cac595fb44b7275c4f7349083f7524493b933abe9531bb507296ba29ad8287795e2d9ddc2ad86981261de215cdf4f0edd0487

Download Submit
C:\Users\Admin\Downloads\nsse.exe

Filesize
193KB

MD5
ebe195bbe3112210522dbb0bf19f632e

SHA1
d1f590530079c4728328b1f59f6f14bc58b7c483

SHA256
e681f44be087e2740c13c300f38e6eda37392c63d986beaa0f17d8608c5ec422

SHA512
b8a1eb5dac631b77c74fc4412872afaeaca78aeedce759e7bc5a9778490b492dc2565da52028f99c67e81827fee16855c9573117a808169c0ed27b40381c2d10

Download Submit
C:\Users\Admin\Downloads\ogUQ.exe

Filesize
226KB

MD5
f227ae5189dff3ae06bb85fd7d102bd5

SHA1
2711fbc0dd3f8ca323ff8542bcb043b46c22512e

SHA256
f1d64726f9a82f2bedf95c39e49e3d839bd2b342c9aec78e283237e78bfa0e21

SHA512
2eb3b24935a321faa0dd8f1c7db246a9a600b53fbef3216271cba9c0dbb6af1b74a9792a8e71dbc6d38d3659e9c6b2dff3ced86b563ae8e24c2399c454ca7b15

Download Submit
C:\Users\Admin\Downloads\osgG.exe

Filesize
185KB

MD5
0762e09e94f731a5caca7d5950ee2917

SHA1
687f83efc70d43c810a366de78c8ddbf4288d331

SHA256
89cc015ecddff6b6b5365f2b94b46e23a22c18897f48ed2a058c57eca2879bd5

SHA512
622b6377a397a80c4f8e4dfe6a96d7f784301bebfaee1c010f536166674bbc047de820788c1702cefccaa0ed0305334ab49e59f548c2d1b16ba443a15ade8cd4

Download Submit
C:\Users\Admin\Downloads\pUcs.exe

Filesize
197KB

MD5
7db445e9d1daab6734371fd1324c516d

SHA1
a50950c9d9eb3ad6da7a01af89c6f2adf603613f

SHA256
dd040e9e0954c4ce38e1863d038a0d53700b057fabed78a76939b5d03de045d7

SHA512
d8834297d5e0df5b96a9689ad707a5af81e181b72d26bacac42813a8f1aaf74427a1ce80dfe0247bc4703c59d654a85cb866fd43ce8a53581b3c2bd1e162422e

Download Submit
C:\Users\Admin\Downloads\pgUg.exe

Filesize
1.8MB

MD5
320b25fe1ce9417518be4ad5662e8b94

SHA1
d3014403b5fb9b0601ba7d71bf034b82c4f28192

SHA256
16136ef3e54cc6acc2370f72c67cab9dbc32778aa9a14c30b065109bf9cbc83b

SHA512
bb043dda6fd042b933e303609a2aca5b22440abb15281cc1f07e3df99fc577100f0ad270aeb7e44e2da88e96eb210b33248e0c44a97b0da801d5bd525ccdaba8

Download Submit
C:\Users\Admin\Downloads\psIO.exe

Filesize
205KB

MD5
a24c9946af73082a11b4d50930deb388

SHA1
836449705fa939fe50e6b3b9b17e8c4492cf31f4

SHA256
5babc91794cace8dda6218fe917537e90d6346ea40cbb5bec76f6fae9ff6ad85

SHA512
7f0fd62eaef343b576e953871a06136c68bba8478630ce8c0d9d0803fe084586736cab399504c9f5e00a947f7be77ab88b2ed5bd5443fd5c6723f355b8ce545c

Download Submit
C:\Users\Admin\Downloads\pwsQ.exe

Filesize
187KB

MD5
63cb9df77eecf35990f50ee0502147b2

SHA1
92f0428031031b2a2475fbe142f0b3335d05e7c6

SHA256
e46284d90c10ac43d2e16fc0167c504a43d5f13ec12be4478c300a85bb3f591e

SHA512
46e0687f78e19d080d60391a373cf1927e2fa282270b8297d43835bd65abd58109cc856fba65268064827bff05a0df4323fd4b597d65579be3755212b54a3b4d

Download Submit
C:\Users\Admin\Downloads\qIMA.exe

Filesize
1.6MB

MD5
8611b4d03c96179e215ab94128ff8ea9

SHA1
22aa8af83119f4c61b63fc40cb7ca67c19002c59

SHA256
de7e040c072a442462edb0c35546a17cc9eeb65190e514cc62748d2cff5e3727

SHA512
27b45bb5f1a757dd0308866f5579e0ece7f6f8d3eaf7fd25fe4458cb0102aee6d5ff3a12e4eeff1349b608fb0f7124d24c161383ffe4a7f53d65e77653633eed

Download Submit
C:\Users\Admin\Downloads\rAwe.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\rMEs.exe

Filesize
183KB

MD5
c9462c5f429dde5048ebaae8c2b78957

SHA1
847a3745f84677a994fe757c9ddc54b9392e9645

SHA256
e9f13aa55ce0ee44c0feb66ed84192b9223ca6c705b40d2af1539a6c132943be

SHA512
2da27ee31782b93043bc470653bbf712ff12d22c7e4c351ba1214697b180518f101ae58ace75e81757af98d39297407b7d5bbad5827b278221d419e0f6747149

Download Submit
C:\Users\Admin\Downloads\rocG.exe

Filesize
198KB

MD5
4c4b917bbd11933e4b00a364cdf4c076

SHA1
4e0ed164929c8fdb31000f7a050a0281adda2cdb

SHA256
abb0aef90c180ad952a2608082aea43000774be06173045c3b2dbd2cc2d27346

SHA512
85876f7028832b84917c0b150ee583e5b7707093137f60cfc4caa56ccc4110b535487de82deb3a687d6ea0537f703b739fa668fc9aa8f1dfb586abdd6c403b1f

Download Submit
C:\Users\Admin\Downloads\smb-z7uhqxx6.zip

Filesize
204KB

MD5
e3c77aa32b15dd325a1399fbaa3b2217

SHA1
6865c0aea8cb8a3a9e86d5ae6834954ec59a1a41

SHA256
8125b8dfffa9e21b8dce873b091fec82505458951cdb7d0fe35e4a42e97d9e68

SHA512
04abe2165e026da8bc4d630f0fefd79745f64791cfc43e4e639e2813e83bdf79de1cabeb12374d2b250e91d9dfb631513fa8af5124b3a24e97df1bfaf1fe21ef

Download Submit
C:\Users\Admin\Downloads\smb-z7uhqxx6.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\tAwC.exe

Filesize
476KB

MD5
ce192228237e2cd9b514464e2bada5f0

SHA1
0465bb8ddcdccbd3e1b8f3a1388c71422d76e63b

SHA256
1e808bd8d8d273fb997caeee4dee246e54ba123e131c089efd59e476d5aebfc3

SHA512
2bcd6964249299f0af5ecc7143602aef16191266c4ed41d05f82be0c391bfe09b7254d05cc234349f83f0998a5df22b2eef53b8eb312b8733e202fed880c5b6a

Download Submit
C:\Users\Admin\Downloads\usQy.exe

Filesize
188KB

MD5
3811ef6bffd9a27854372e89f17c8c0f

SHA1
3bd6e177b64832fd38791c57a140e7e6ac22e1c7

SHA256
5126068cde540668d8397941a782da75540b2840c433d0e87478485495ea04cc

SHA512
bfd5e8a6957b11b2c58a8dc68d3ea7a9f8b45ec9218e7d69be4147f706b42bbb03e91534cc967a9014a1762c81e5ac163ee785e7d4efa080bce0ac04396459e9

Download Submit
C:\Users\Admin\Downloads\vUEC.exe

Filesize
183KB

MD5
4dab17bcfc3eb630274c95036b848437

SHA1
8833b5af76ebe20d74f47e6f0b44f36e52789dc5

SHA256
7f93848024dceedc74b30d4f3c3a649236eb10845fa59d6fde1c865615d80038

SHA512
5cde0813a42dc5a02b5a432226e8aef7404b84e77f9319fb2559f89a8c6337cd2aeae3a05443c935a524a1569009df6729ad429f65077856329fbf2ac0db5362

Download Submit
C:\Users\Admin\Downloads\vUEE.exe

Filesize
818KB

MD5
12e6debc8d4320cef619e5cb93460d06

SHA1
63692d234fafb15e9309a4f56f9a345402efa073

SHA256
df3df3c0f34fa6ff06ba74724160743b9df28d584a20b47fb1b60c08f968c2a5

SHA512
de6dd1b06709d6914edafe4fc1d34d71ebae4b65e7ef5f30790aa28193e847c36e53818ee1fae37a2508dfce162fa8ab8bda954399c4fa1ff245160b01af0cb4

Download Submit
C:\Users\Admin\Downloads\vYoW.exe

Filesize
182KB

MD5
5ba87a8e929a079e9558dee94504bc04

SHA1
680f433b86f187f22784b7bac640b87524e39271

SHA256
3c7e5f75cb8df434e4b3125ee30b70bde8d7309838b06d2185667ab78ad76f2a

SHA512
fc52d37399663046a49a972c92d65b1498f1e5738b847a251df6870597b5d8c2a1c2a3c373792d942810f23e5d9dd63b6df942760728ad776c432d4812fce899

Download Submit
C:\Users\Admin\Downloads\wEAy.exe

Filesize
200KB

MD5
eb666ad064a835500c4c3adc5fc5a1e5

SHA1
f15095ff4a8be2c07f801f54086aa53deb9bcee1

SHA256
b3b93ee8b179813c104681ebe24d698b0acf396738e5ca45cc1eafe4b34b1282

SHA512
07343851b94fb26bb6a458b22b3c820dbbfaec4aa52f8a5dabe230eaa46894bacc41bd6d50046107746a7b8c702e34d3b159112240e4a62c8204df7c4d677092

Download Submit
C:\Users\Admin\Downloads\wkkk.exe

Filesize
752KB

MD5
77dbdfbaa6cb6d36c6aeb66919362d6d

SHA1
501a8e7da80fd164d39279515de30ac21cf40da6

SHA256
b0605be4f4cb608b5efdd9971542555d0cdd43500057572dbd9602b601af01a6

SHA512
6b7ae467e4c49a7da8cff608736895a3f051defe95ccf4ca79d8f99f549000bc2669b523b8fb8a4ea57e4af217d83b71bb91668d087d3e4df5346d3054302469

Download Submit
C:\Users\Admin\Downloads\wkoW.exe

Filesize
223KB

MD5
0890529c1c12c9723a29a0ff796f7210

SHA1
b28dd240c609d887764bebff8ff8915596b60f15

SHA256
66fe35cf33fc6c4cd1c57e7c1899f592f17be53ce3aaba6b756e845b1fcc287a

SHA512
c09d4009e88d25c3513772486d12f4cdfb4c1a305a61240402c3a3758a0c5aef0b16c268d10a306b6098d54598a80b2cca649096ffd9ab7235c4e4dc532a0303

Download Submit
C:\Users\Admin\Downloads\wsIM.exe

Filesize
200KB

MD5
8f467e3d6d41ec5b41f3f99af99023a5

SHA1
990333c1f37d10274cbf15193001bc9c99385340

SHA256
81e7fc096fb081f8323f80ca82e5805c70bd42f849893a70a3ca13fdb87f2890

SHA512
5b63251d575f97b381d03b181f4befab7893515b4ac404f1cbee43061511ed839f23cd852c76dd66be701b61942d3a03dd60de4dcf048212c0694aa27cd8885f

Download Submit
C:\Users\Admin\Downloads\xcMy.exe

Filesize
192KB

MD5
a20e18cd096c93ee0faf7ddd484f09d8

SHA1
77ebd2b2b2fdffc90fb47394b94fba61c2c79c3f

SHA256
8b1a026f20727f953d4f77c5a64cbaed6ae19113b3b9eaa0b4ac69d7cf1a0f87

SHA512
8994e04f6372738a4f9ef2468fa58e4ea28507683e6fde90954b9a1c5427c103adaf109416e357fe1a34eb27ce7bd673a936250d85648789a61740f154c70ecb

Download Submit
C:\Users\Admin\Downloads\xgkM.exe

Filesize
555KB

MD5
5c5450dcebbd71f7cb0d56626193bf1b

SHA1
cb13feee8d56fd0dc2d7454106cf27bc145d46a4

SHA256
411072e31de1682b9d77fd6e723aadaace640be5aa527aead91a7a61e3e1f6e8

SHA512
242a9ebd4a282048c3d8c649d7a9259e46b257d25cbcc2f595289a78e03ab9735b212485165ca367d329ca8c6efd699540a9330af228cb553493e75b0d125185

Download Submit
C:\Users\Admin\Downloads\xoEm.exe

Filesize
208KB

MD5
09ed49c3f262475bc92373f3f6f09970

SHA1
3c16030475ebd79d2b3b7d4051b0440da527c597

SHA256
8a686095dc304aedf2d2938ec6001fb1095c5eae07b86302db5141d8156675e5

SHA512
3e30bd51c8c444ebf11f27e0509c7e0660acb5da4856791fda7fdaad400dd0a7b22bb0ec61a8c4528766d9b40525a0fbb89965af5b916a393919a156f5863bb5

Download Submit
C:\Users\Admin\Downloads\yEQI.exe

Filesize
804KB

MD5
82f7f98333e28adc3335c92fc6e3087c

SHA1
f02dc3a5f2cbfc8b65dc90549c6c8b3656db5bc9

SHA256
a5b94ef63ada2f2fa12c0b548499a27177751c7f198c99d8ef4db00400563908

SHA512
c1558e70967afa4fb37c30e6cd3f64a5e109c29d4ea0975e806055e3fac27419124731775c1d8418c1370fd2c0eb00cfce67e6c9b101bc2f245c8aea886438d7

Download Submit
C:\Users\Admin\Downloads\yMUg.exe

Filesize
196KB

MD5
f89015d24d09084b0c16883c6ffefd47

SHA1
c7e9dc47037eb423a89ca26498855b5a23fc1c6d

SHA256
b388ba3e630076f0e2992f955ef11398125ab8a6e8cba0664790d7e95686e27c

SHA512
e7801772ab0440b7117247e11f1c3f8d4c8ef310a63d41481a9a4e99dd24a24f07e2394e3e37c02785e04435e7a29bbd8339db927d21c5beda8cb26cb3cb7c3b

Download Submit
C:\Users\Admin\Downloads\ywos.exe

Filesize
256KB

MD5
59d25d78f6d0edb476071015c7cc167c

SHA1
010bf42a67d8ff50b41244b76ac12743646a14e0

SHA256
e1c410bc1f67e5c0a2f26a833ebbc6b995e4717a12d753c776afe650198ccbb0

SHA512
6cef9d2b70fd3aa309bebdae24cd78873c49f3fc910d649b2f6409ca9df828fd7d6c2f6acbcfae5a6e88a74e81e55c9f4e68b242deee688630005389cca0cc73

Download Submit
C:\Users\Admin\Downloads\zwUK.exe

Filesize
198KB

MD5
9789c7c5a397741238a2835998b7011f

SHA1
7c5e24a99769ea82ee8350d3bafeacf1d2fea371

SHA256
e39b69c23fbc333668557ff4d0573b161dd369fdc9a719d4bfe9749e6be14bb2

SHA512
7f5cbabaad770974633ca78d6ac17db25b5cd198d0cdd24354cd2a69bb4ac2c5c9179bdc83d1933abb17a409fbea95592a2a1af289cfa486e71a2ea994fb09ad

Download Submit
C:\Users\Admin\OsMkwgAA\HwEsQQAA.exe

Filesize
192KB

MD5
645b8fa0dbeb696c5b15e9b6a53a3c41

SHA1
37140c22dadee426f8cd2ba2dbf1a2bf82df89d8

SHA256
625a07b492fb3be4a96e5c4be6b287a094f7cbe7bbadaa056c0c752e04884924

SHA512
09d5f5f0b41e440aeffd7fc74c04b562c4489b3fe4c1d123343443b373473ca7cdbff53bb02dee7cd7098f65f88d7ac68e3f7b5585c03609bada12b95e89fcf8

Download Submit
memory/8-1001-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/424-1288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/424-1254-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-1079-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/820-1377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-1393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-1018-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/920-984-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/928-1325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-1340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-1115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-1385-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1012-1028-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-1089-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-1097-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-960-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1136-969-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-1220-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-1726-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-1648-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-1439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1316-1149-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1372-1280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1524-1165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-1326-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1532-1244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1540-956-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-1209-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-1228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-891-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-1071-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-1411-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-944-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-917-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-1201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-1791-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-1566-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-1045-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2328-1358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2328-1010-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2340-1367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2340-1359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-1123-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-1430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2744-1466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2744-1457-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-1339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-1348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-1105-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-992-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-1856-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-1236-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-1270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3144-1327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3344-1173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3344-1184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3468-899-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3508-1479-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-2571-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-817-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-851-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-831-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-816-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-805-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-804-0x0000000002470000-0x000000000253E000-memory.dmp

Filesize
824KB

Download
memory/3508-806-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-919-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-6224-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-819-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-3643-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-1216-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-832-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3508-4309-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3552-1262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3612-1296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3612-1305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3880-1315-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3880-1839-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3900-930-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3932-1475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3932-1467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3980-1458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4024-1063-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4060-1420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4060-1413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4104-1131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-1632-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-1567-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-1847-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-1338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-1855-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-1330-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-1139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4604-1829-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4604-1820-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-1297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-1037-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-1027-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4716-1403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4716-1480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4716-1502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4740-1053-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4868-1157-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4956-1323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5052-1174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5052-1438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5052-1449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-904-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-884-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download