1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PolyRansom.exe
Size

220KB
MD5

3ed3fb296a477156bc51aba43d825fc0
SHA1

9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256

1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512

dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
SSDEEP

3072:EJv/3Ppzq+M4Lh5VWK5qlYRV+hvuFiweXXbGgL90v5mq33Z3:8hzEA5GlYMWFBeXvx0c+3

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	dwwEYEgc.exe

Executes dropped EXE 2 IoCs

pid	Process
4056	dwwEYEgc.exe
2044	ZKQYsIsc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwwEYEgc.exe = "C:\\Users\\Admin\\qUMsgIMc\\dwwEYEgc.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZKQYsIsc.exe = "C:\\ProgramData\\zgIQQoEY\\ZKQYsIsc.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwwEYEgc.exe = "C:\\Users\\Admin\\qUMsgIMc\\dwwEYEgc.exe"	dwwEYEgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZKQYsIsc.exe = "C:\\ProgramData\\zgIQQoEY\\ZKQYsIsc.exe"	ZKQYsIsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4928	reg.exe
4792	reg.exe
3120	reg.exe
4012	reg.exe
2272	reg.exe
1848	reg.exe
392	reg.exe
2336	reg.exe
636	reg.exe
4532	reg.exe
3800	reg.exe
3776	reg.exe
2096	reg.exe
5028	reg.exe
2884	reg.exe
2216	reg.exe
1680	reg.exe
3740	reg.exe
948	reg.exe
744	reg.exe
3896	reg.exe
2956	reg.exe
328	reg.exe
5032	reg.exe
2808	reg.exe
1608	reg.exe
3228	reg.exe
1560	reg.exe
2352	reg.exe
392	reg.exe
3792	reg.exe
3668	reg.exe
3028	reg.exe
2032	reg.exe
2972	reg.exe
3548	reg.exe
1944	reg.exe
4152	reg.exe
4496	reg.exe
2856	reg.exe
5116	reg.exe
2160	reg.exe
2296	reg.exe
5032	reg.exe
4076	reg.exe
2204	reg.exe
5056	reg.exe
2308	reg.exe
3972	reg.exe
1740	reg.exe
2336	reg.exe
2528	reg.exe
2368	reg.exe
3844	reg.exe
4996	reg.exe
5112	reg.exe
3132	reg.exe
5008	reg.exe
1696	reg.exe
1428	reg.exe
328	reg.exe
1552	reg.exe
548	reg.exe
3308	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	PolyRansom.exe
516	PolyRansom.exe
516	PolyRansom.exe
516	PolyRansom.exe
1520	PolyRansom.exe
1520	PolyRansom.exe
1520	PolyRansom.exe
1520	PolyRansom.exe
2828	PolyRansom.exe
2828	PolyRansom.exe
2828	PolyRansom.exe
2828	PolyRansom.exe
800	PolyRansom.exe
800	PolyRansom.exe
800	PolyRansom.exe
800	PolyRansom.exe
4524	PolyRansom.exe
4524	PolyRansom.exe
4524	PolyRansom.exe
4524	PolyRansom.exe
392	PolyRansom.exe
392	PolyRansom.exe
392	PolyRansom.exe
392	PolyRansom.exe
540	PolyRansom.exe
540	PolyRansom.exe
540	PolyRansom.exe
540	PolyRansom.exe
2036	PolyRansom.exe
2036	PolyRansom.exe
2036	PolyRansom.exe
2036	PolyRansom.exe
3892	PolyRansom.exe
3892	PolyRansom.exe
3892	PolyRansom.exe
3892	PolyRansom.exe
3748	PolyRansom.exe
3748	PolyRansom.exe
3748	PolyRansom.exe
3748	PolyRansom.exe
1824	PolyRansom.exe
1824	PolyRansom.exe
1824	PolyRansom.exe
1824	PolyRansom.exe
3944	PolyRansom.exe
3944	PolyRansom.exe
3944	PolyRansom.exe
3944	PolyRansom.exe
1272	PolyRansom.exe
1272	PolyRansom.exe
1272	PolyRansom.exe
1272	PolyRansom.exe
5068	PolyRansom.exe
5068	PolyRansom.exe
5068	PolyRansom.exe
5068	PolyRansom.exe
5024	PolyRansom.exe
5024	PolyRansom.exe
5024	PolyRansom.exe
5024	PolyRansom.exe
3020	PolyRansom.exe
3020	PolyRansom.exe
3020	PolyRansom.exe
3020	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4056	dwwEYEgc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe
4056	dwwEYEgc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 4056	516	PolyRansom.exe	84
PID 516 wrote to memory of 4056	516	PolyRansom.exe	84
PID 516 wrote to memory of 4056	516	PolyRansom.exe	84
PID 516 wrote to memory of 2044	516	PolyRansom.exe	85
PID 516 wrote to memory of 2044	516	PolyRansom.exe	85
PID 516 wrote to memory of 2044	516	PolyRansom.exe	85
PID 516 wrote to memory of 2360	516	PolyRansom.exe	86
PID 516 wrote to memory of 2360	516	PolyRansom.exe	86
PID 516 wrote to memory of 2360	516	PolyRansom.exe	86
PID 516 wrote to memory of 3896	516	PolyRansom.exe	87
PID 516 wrote to memory of 3896	516	PolyRansom.exe	87
PID 516 wrote to memory of 3896	516	PolyRansom.exe	87
PID 516 wrote to memory of 4904	516	PolyRansom.exe	88
PID 516 wrote to memory of 4904	516	PolyRansom.exe	88
PID 516 wrote to memory of 4904	516	PolyRansom.exe	88
PID 516 wrote to memory of 3272	516	PolyRansom.exe	89
PID 516 wrote to memory of 3272	516	PolyRansom.exe	89
PID 516 wrote to memory of 3272	516	PolyRansom.exe	89
PID 516 wrote to memory of 1256	516	PolyRansom.exe	90
PID 516 wrote to memory of 1256	516	PolyRansom.exe	90
PID 516 wrote to memory of 1256	516	PolyRansom.exe	90
PID 1256 wrote to memory of 2564	1256	cmd.exe	96
PID 1256 wrote to memory of 2564	1256	cmd.exe	96
PID 1256 wrote to memory of 2564	1256	cmd.exe	96
PID 2360 wrote to memory of 1520	2360	cmd.exe	98
PID 2360 wrote to memory of 1520	2360	cmd.exe	98
PID 2360 wrote to memory of 1520	2360	cmd.exe	98
PID 1520 wrote to memory of 3668	1520	PolyRansom.exe	99
PID 1520 wrote to memory of 3668	1520	PolyRansom.exe	99
PID 1520 wrote to memory of 3668	1520	PolyRansom.exe	99
PID 1520 wrote to memory of 2376	1520	PolyRansom.exe	101
PID 1520 wrote to memory of 2376	1520	PolyRansom.exe	101
PID 1520 wrote to memory of 2376	1520	PolyRansom.exe	101
PID 1520 wrote to memory of 4312	1520	PolyRansom.exe	102
PID 1520 wrote to memory of 4312	1520	PolyRansom.exe	102
PID 1520 wrote to memory of 4312	1520	PolyRansom.exe	102
PID 1520 wrote to memory of 1816	1520	PolyRansom.exe	103
PID 1520 wrote to memory of 1816	1520	PolyRansom.exe	103
PID 1520 wrote to memory of 1816	1520	PolyRansom.exe	103
PID 1520 wrote to memory of 2036	1520	PolyRansom.exe	104
PID 1520 wrote to memory of 2036	1520	PolyRansom.exe	104
PID 1520 wrote to memory of 2036	1520	PolyRansom.exe	104
PID 3668 wrote to memory of 2828	3668	cmd.exe	109
PID 3668 wrote to memory of 2828	3668	cmd.exe	109
PID 3668 wrote to memory of 2828	3668	cmd.exe	109
PID 2036 wrote to memory of 4832	2036	cmd.exe	110
PID 2036 wrote to memory of 4832	2036	cmd.exe	110
PID 2036 wrote to memory of 4832	2036	cmd.exe	110
PID 2828 wrote to memory of 4580	2828	PolyRansom.exe	111
PID 2828 wrote to memory of 4580	2828	PolyRansom.exe	111
PID 2828 wrote to memory of 4580	2828	PolyRansom.exe	111
PID 4580 wrote to memory of 800	4580	cmd.exe	113
PID 4580 wrote to memory of 800	4580	cmd.exe	113
PID 4580 wrote to memory of 800	4580	cmd.exe	113
PID 2828 wrote to memory of 4076	2828	PolyRansom.exe	114
PID 2828 wrote to memory of 4076	2828	PolyRansom.exe	114
PID 2828 wrote to memory of 4076	2828	PolyRansom.exe	114
PID 2828 wrote to memory of 2128	2828	PolyRansom.exe	115
PID 2828 wrote to memory of 2128	2828	PolyRansom.exe	115
PID 2828 wrote to memory of 2128	2828	PolyRansom.exe	115
PID 2828 wrote to memory of 2368	2828	PolyRansom.exe	116
PID 2828 wrote to memory of 2368	2828	PolyRansom.exe	116
PID 2828 wrote to memory of 2368	2828	PolyRansom.exe	116
PID 2828 wrote to memory of 1620	2828	PolyRansom.exe	117

C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\qUMsgIMc\dwwEYEgc.exe
  "C:\Users\Admin\qUMsgIMc\dwwEYEgc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4056
- C:\ProgramData\zgIQQoEY\ZKQYsIsc.exe
  "C:\ProgramData\zgIQQoEY\ZKQYsIsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
    C:\Users\Admin\AppData\Local\Temp\PolyRansom
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        8⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        10⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        12⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        14⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        18⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        20⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        22⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        24⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        26⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        28⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        30⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        32⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        33⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        34⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        35⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        36⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        37⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        38⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        39⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        40⤵
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        41⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        42⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        44⤵
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        45⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        46⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        49⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        50⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        51⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        52⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        53⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        54⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        55⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        56⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        57⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        58⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        59⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        60⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        62⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        63⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        64⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        65⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        66⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        67⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        68⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        69⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        70⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        71⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        72⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        73⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        74⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        75⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        76⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        77⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        78⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        79⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        80⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        81⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        82⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        84⤵
        
        PID:328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        85⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        86⤵
        
        PID:1500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        87⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        88⤵
        
        PID:1140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        89⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        90⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        91⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        92⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        93⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        94⤵
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        95⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        96⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        97⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        98⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        99⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        100⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        101⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        102⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        103⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        104⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        105⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        106⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        108⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        109⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        110⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        111⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        112⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        114⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        115⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        116⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        117⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        118⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        119⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        121⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        122⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        123⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        125⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        126⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        127⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        128⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        129⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        131⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        132⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        133⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        134⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        135⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        136⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        137⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        138⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        139⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        140⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        141⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        142⤵
        
        PID:1788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        143⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        144⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        145⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        146⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        148⤵
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        150⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        151⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        152⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        153⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        154⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        155⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        156⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        157⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        158⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        159⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        160⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        161⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        163⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        164⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        165⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        166⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        167⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        168⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        169⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        170⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        171⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        173⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        174⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        175⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        176⤵
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        177⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        179⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        180⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        181⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        182⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        183⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        184⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        185⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        187⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        188⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        189⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        190⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        193⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        194⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        195⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        196⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        197⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        198⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        199⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        200⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        201⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        202⤵
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        203⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        204⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        205⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        206⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        207⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        208⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        209⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        210⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        211⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        212⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        213⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        214⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        215⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        216⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        217⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        218⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        219⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        220⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        221⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        222⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        223⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        224⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        225⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        226⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        227⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        228⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        229⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        230⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        231⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        232⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        235⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        236⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe
        
        C:\Users\Admin\AppData\Local\Temp\PolyRansom
        237⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PolyRansom"
        238⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emkEwwAA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        238⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiIsUkgs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        236⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuYQkgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        234⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        Modifies registry key
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYMIokU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        232⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyYkUwUk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        230⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKkEwcUE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        228⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwcwkYsI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        226⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEkAUUYs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        224⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        Modifies registry key
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSMocckU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        222⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSQokwYA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        220⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agoUswko.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        218⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAgMcMAk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        216⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAwkMwUo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        214⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biIosgwY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        212⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JccIMIQM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuEYgMkg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        208⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAAUUkoY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        206⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcgwQMAI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        204⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCwEEIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        202⤵
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaQMUEsA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        200⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiAMckYo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        198⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAEUgAcA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        196⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKsMYwwA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        194⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcYQAAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        192⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NokssEUE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        190⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viYEIAkE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        188⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMUIAccY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        186⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaUsEsIU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        184⤵
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISwUwgMo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        182⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGgYEIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        180⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgUYkkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        178⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSMEMoQk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        176⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuYAYMMw.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoQEkUUA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        172⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeMsMkkM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        170⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMkowMgU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        168⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGAcwIEA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        166⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyIUYwAY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        164⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqQYAYsU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        162⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LykQgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        160⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMIkwQMg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        158⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQowMwEg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        156⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MosIUsMA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        154⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKckocUU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        152⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSwAoIcU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        150⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQsAMocE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        148⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwEwkQEo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        146⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMoEowkc.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        144⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQQkogg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        142⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQsgIkAk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        140⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQkQAYMI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        138⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAYwksIk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        136⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEcgIwos.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        134⤵
        
        PID:824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQcUswMY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        132⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuAIUQQM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        130⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAkgIcg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEkkQMkg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        126⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGQsoUMI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        124⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Beksksgk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        122⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWMowoQM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        120⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgYkUsIc.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        118⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgooIoIs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        116⤵
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwwcEAoA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        114⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGUEkEgU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        112⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYcYQokc.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        110⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nqkcosco.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        108⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgUgoUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        106⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoQMIsIQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        104⤵
        
        PID:1500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSoMMkcA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        102⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcsYIooo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        100⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEwwgokM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        98⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYwwcMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSQUEcQU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        94⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsoEYsIg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        92⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caMQYIcY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        90⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EckskwEM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        88⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Egwkwowo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYgAsEQs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        84⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYEokEY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        82⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsUQsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        80⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUAcAcYU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        78⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCUUoMME.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        76⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xywkIYEU.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        74⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwwcAwMA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        72⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqsUgYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        70⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsoAoEYs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        68⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGYwIgEM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        66⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiggoQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        64⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuoIkoUM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        62⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOYwcMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        60⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAIskEg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        58⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeUocUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        56⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiUcoMgs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        54⤵
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuEAgUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        52⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcsYUAIg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        50⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IewgIYwM.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqQwocog.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        46⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEkAkwEA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        44⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGgIAwkI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        42⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuAsQYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        40⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQskIUk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        38⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGoEsEMI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWUEUkoI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        34⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgIEEMMc.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        32⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMgUUYg.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        30⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcEwIgs.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        28⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuUwkoMA.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        26⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgwEAEwI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        24⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGUEQIQo.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        22⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgIEcwwI.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        20⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKIIgwcY.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIIkIgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        16⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuoQoEYc.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        14⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkEgAYgk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        12⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aowscgss.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        10⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUgQMMgw.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3748
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4076
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEcUgwwE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
        6⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcQEIQUk.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4904
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TekwEYsE.bat" "C:\Users\Admin\AppData\Local\Temp\PolyRansom.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2564

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
661KB

MD5
2e8661eea97ae04e54fbd72493fbaabb

SHA1
46c788192f3b7394ae9b7d314b96a1613e122f56

SHA256
47fcaa54fc64f7677576dddd1826408be423c656ab3d94da2ff301afde1daa73

SHA512
6b3004920bc865fb235b21e0e23310edbf79757844d4d0867b00d4a88be802987f541faa0f93b45c9b28bbb1aea2919b397344788ce296acf9dd44cadfc675cd

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
225KB

MD5
09b5bb4408ea9ec5ed338ce4d3a56a3b

SHA1
9b2932f26f3570e59da577f5a325995f4aa5b492

SHA256
6c54764a5da92e99c6c998f47b32d6c00f9c0311a8e67295dacc39f8f7d61c8d

SHA512
72515c2d7187b941507e49eef1eaeaecab957cb14a3c6df0527261d6d5765cd457c81334c87fe28811e83be63d29f2e92de95f7ade270b0127e6deba92a088cf

Download Submit
C:\ProgramData\zgIQQoEY\ZKQYsIsc.exe

Filesize
178KB

MD5
a2ca72d2ed81683cba7b5e885d79efa6

SHA1
36dbcc5b18af15f70e62290663f130d2498b265f

SHA256
bcc5b74bc0a2e25824f103c7c8827d7624180744384ec0ab5740c7ad4bff4aa1

SHA512
2ead24c1a80258ce603b2637d4c7107c4a3c6defc7b4f0c874876bfda4e3043269d120e25032616465021343e1f69d3bd0a86463985b2a0baf37793ee089bf07

Download Submit
C:\ProgramData\zgIQQoEY\ZKQYsIsc.inf

Filesize
4B

MD5
66dd4af19442a4447a4864b421b92fde

SHA1
0560ed87d9f7baa93f684fd29aa6b643f134a3f9

SHA256
18660bd4ae3904a35fde2b99b3ca9c5cd4d9c8cad1c14bb491414a7a6642532a

SHA512
89a5c4eb2e556baf88a08f13530f4a61d22c20749224e3c922b8659088904487e50f80f8d696128bb9c673627a8c2f3645f6cb1fa6703232d870c8f427ca7182

Download Submit
C:\ProgramData\zgIQQoEY\ZKQYsIsc.inf

Filesize
4B

MD5
b0402a3fbc6d59c18f5cc9aa0c66a6bd

SHA1
46630ce0041bf219e0810b7fb63c851ce6b8b05b

SHA256
6242b4dfcbd45e9d03dd6aa566ffc137f9abae95634a73bd0433c9d381f76828

SHA512
859e6374be6e23a6d00ce0f2463959e9b826d6d8f12b8847e98aa1ad38cfbf646e6afd05ec686630c49d3b390fee3f8950c4f93b3e14c7fc71cdbf2b250e5624

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bwci.exe

Filesize
1002KB

MD5
4d681c76858bdfce7da3b8ab16cf6e18

SHA1
b81212b3cef3b8473a17ad3449ae3a8e418b87de

SHA256
3e693b3348f1674884ed56adbcb0461beaa4c6eafe32be6e796fc5a0dfa53476

SHA512
e12557358302994d679e0d20b4ad46ce0c5632930b378b19d4a6a39d895e82931ea54734177b16d8cf99ccb4218b677046422640624505a4a2ae31b1d7e7b463

Download Submit
C:\Users\Admin\AppData\Local\Temp\CccA.exe

Filesize
555KB

MD5
9cc4cadf620bd7cb05909e383b792a30

SHA1
3546f9e7397be76aac809d64fce40d70c55945ca

SHA256
e7a040fc3575abf0d6acf041165f5aad1e94e3377727097b5e626d52bf28a5cb

SHA512
26fa98539a313ade5ebdf192d8bae179fdec934e94d1b9b40b4688159fba305b62cd9fae4791b73539791f713412044e10dd41dc563debf3066cd04310b3cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccko.exe

Filesize
199KB

MD5
9a191493069fa2670ff32319226158d5

SHA1
a46db37f32ddcde3423523816fe51f84c2d77d8b

SHA256
9debd83872aba10337789b3d69e39b9ce1f4cfe17339adb780aed33d19a95fc1

SHA512
2f99f13d058a4de7a4bf317cb0f80260deb0d57c5fe61ea3e2618ead7ad8eba40e0f447ef6f485364fe2e2914f8151b88a2c97bda13ed30d68623d036c2fc552

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcwK.exe

Filesize
497KB

MD5
c71ffcc0ea8eae0855237d7bbd92de3e

SHA1
a5fb7db78347c260308c28c545a36e83c292245c

SHA256
c8404fac5e83163dcde57ddc257db9b265be69164b0882dd7840822d00d11598

SHA512
d33b23aeef3275d78883389d198e48ab15f736e9414f70162a1504f355414fa89c785a1e825b9363202508dbd5be2fccb44071d9ed382512d9681b52a1fcdabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwQU.exe

Filesize
200KB

MD5
23f3d9543d8d38768415161a44401457

SHA1
800d1a0dcb774bb23e56e482facec98c9ebd356d

SHA256
dc1a0fb6a5f7f2c9ddca2f9d6f9a9e950c23b2aad73697da9530f2e324615046

SHA512
5c33810bcb4fb2af22df8aa4cae6b727316fa2915e9cd67f05fd535fdd26e198edca6de95fd8579e494c66e51a9b1df56fff640f8f75f3fca5652d22c695f2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUYM.exe

Filesize
202KB

MD5
2e009e8df364ce096a312d8b6c80fa45

SHA1
903998c8f3b4b40c184ea803b2b2fdb097dc6664

SHA256
2852012f96fbcac563a67f93124d26230b82c4af3c36e76f92757808411e23cc

SHA512
7d3230bdf3e56e8f8038b26a8dff93762ec4ceb7c9a9f4abb52246f2576c0d41a7758eeab1294d920ebd2e549ea8a6102f148f0e5af04aba80308c58bcf7d410

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcog.exe

Filesize
567KB

MD5
6f9d7cf27acbff5303092f38db4562d2

SHA1
56f05d5f26ea0e10d22e8fddc46122bf45adf779

SHA256
f4cf03f0e95d769adcebed6c005a4b0b2935f2d35fb07e0a4a758a292b8738bd

SHA512
fab26d9a9621bf157f6813e5c31725ba8ba3057528a453175799948a56bdecdef9ee618b490813f5a056c414a970a5dfef526393ca3897bf1f913fe1b438e1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAgA.exe

Filesize
206KB

MD5
f3e44abcae121c42681103e91c9a2d6d

SHA1
22415e5c240dca966a8691471de44e806b0b9284

SHA256
0a430f6d520040a8bba3501efe0b4cedb4e70c61372d3db3763cecf8f3a6b732

SHA512
d8e86db7f957ee80066d8b876d2ebdb63e72834ab257e77c272feaa20df6866bfd81b6f99805a774e28c76a01aac6160eeac8498b9b7d7ef46a7005aaf12f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekom.exe

Filesize
187KB

MD5
d453d11961dc1da6546f94631cbd7016

SHA1
145782b0b355207fdeafc531a176e2a1f55b380f

SHA256
d4cf28dd7883683b67357d51eceb8c2fb27b2d0a9a13307af191866cfb41bfcd

SHA512
cc719cfb5e198284c529bc76c9832cf3a63d5b9273879743ea7ef5cf38f1ecc3b36dfd0398338a083f4e77a7e8d3b478bdee03081105f83d6a46f2fd88363ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fcsg.exe

Filesize
195KB

MD5
cd0ba7007782d1dc8410b858b74de3b2

SHA1
13de38b0f839bb9c8677d67ad9f8f482e376ee89

SHA256
ed60ab1e57ec1b0cf9ba12f6afb75e519c4b0bfa6dd54cd7333c93e0c6a56a94

SHA512
7290794f54e50c65cace7bca1ce13c7539d4cef696d6e053159e59d2e2c360d554f2112063ec128eb23a17a123287d960023da81248225e011959c0108a4c3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUQG.exe

Filesize
199KB

MD5
13a689d647880c016aea833e687fb2bb

SHA1
e131322f58217f4b331491a22d90989126f8d67e

SHA256
8aaa7366098a9471093558db933bfc569596bca355d0bc4046f962fd251d8367

SHA512
f81c5202c0d866effdf5e4b3456215ff7beec9ea479b05e9baecde65fa99a54f7d0f91e6f21aac191a71185c52b6b52aeac0034302f55f1a8d44756b9cd39a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEY.exe

Filesize
309KB

MD5
4fe59a80c7f9250e1004e51992853e5e

SHA1
12ad69651caf1c6bbb768bdc33d8b3c284077490

SHA256
a0f964f253831eb864a1a93d28a78ceed5549598267cfdc77e4fba20b56fd5be

SHA512
50d642c387bc01d294c9a16d62d61ccafb406550afa3ff263ff73306d2709c9fec8a16b0f8381f2bf2d1ae1c0debe92b94f8b0b562ad11a6ead8df493643d8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMQG.exe

Filesize
207KB

MD5
82b081c00a862e247ba544d9f1f2caaa

SHA1
3a5ca427dd9d41d757bdb7fe318aa1b6f1927e8c

SHA256
3b5631822c2efc57e7b1cac5a035ca75fcb5a4e00421570af988e0088999932e

SHA512
79a1714bfc88c452d89f6e1873291f4a3d2fd149b92b669af2f37c049368099a783a260c9bb615e8b14b31b51ed140c7ff1365c65a5236b2cd89ac34c6268408

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgkK.exe

Filesize
638KB

MD5
bc810306e8b544e890717ee75f69545a

SHA1
86520eba53e610865139b54ecba527d0bd832dc4

SHA256
9bab84547d265f22ac8df287cbcae1bdd09c720d0089130937209edf3cf0514f

SHA512
c4e1b54164478d261797604c1f2b660fc86af83a80b1dfc97a54988370e68ce6842a11cd00233c5c80c71e6d420992bd3a6ebab6357858440d07549d34baad39

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUm.exe

Filesize
767KB

MD5
2a38a71c4cc0345d3f8fdb64707e1372

SHA1
d3128d04d2caa914b3b7f7df93eedb5a6fdba974

SHA256
bac1c11ccada3b051b5a75ab5453056b9532ecc51963110b5cfa89d2281fe8ae

SHA512
3de8e0e4cf3801bc677463fb2036613933977c3cf633f725f97a1f88d626daa2a920b2df21803cf26fb14401473e7044726fd43c62ceb15cd4fc1902d549fad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsgI.exe

Filesize
230KB

MD5
0ffc0f88e815858b792b55cf41cea946

SHA1
50847ce0cedb04480e640c6fb3460635acb070a7

SHA256
47af1b892df56a925631ee45767fe92c0393c53b9c648e54f5430a97d06bda50

SHA512
eeede9f9e05e9af1046b27981539ae153c3e0b647b0e0714c4f615c58b41a9346659324f8d51fb38c0a742928e514153d2bdad4ea2f4a387ad6b056bdadf18a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMkm.exe

Filesize
205KB

MD5
5b2a7ec3e0103661a5203138292ca344

SHA1
0f0dfa9cad33ccbf891d289a01a526176a545d0b

SHA256
fe9b97749d11788e06cd553bf6ba91b737a78209d34c9a03d6737939ad9eea94

SHA512
feec16aee018d0915afe88e6f06db5b3f7eab56d79e99a6dcd1515f0a3b499ffba7b3f764eea8dd5823c0a51034f5e30e85946e85e66c1043c8e50e7cfe6c120

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAi.exe

Filesize
207KB

MD5
a7b54b46e9f585f093cc5aea1ec14db3

SHA1
9e9a68907868836c7583204d2681a74a57a86421

SHA256
db2c6218f184329b4cdaf4a0582f274bfb9cc1dd7086cfe6ce48fdbc0457ac24

SHA512
80d46198ab33f94d76f904586366eaf1abc9369255c43eb1417f1d0a45d7067abc61585f462a56d9acc8e51989c7ff91510a6fbb76014bac257120ac2a66e4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoIM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEQs.exe

Filesize
190KB

MD5
6888d8f63291b1f749080ceb2a7a690f

SHA1
d50b0f408b1a7f2edf7f2661ceda20e6c05099a4

SHA256
18d35be4ab8a3a402e464db167b36d995427c61890241fef4bc3755045e45960

SHA512
1accce772e9b3713d3ef472c7623043ee73aed61edbed18905468f681e337671c86e2effa5a53dbd1a298b2044929a21e040693ec1c0ec7bbb01a48eaacec04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIca.exe

Filesize
239KB

MD5
cea02349fd2b60faf8948dfbb87af892

SHA1
eb763df6bd43331375418d79d5e31f322edb657e

SHA256
75ba7c172a72fa65e658145beeaf4acd71037d4a83f120c445f7f03c3ff7d7d7

SHA512
5aab301ec13a3149cae1812ea722c848b54e4e5a71e9cc1f846c6ab6478df6442ab3637d54abb508ac94516fdb7dd806f623fcca971195b1799876276dc6fda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEEK.exe

Filesize
199KB

MD5
0011ec6aa8e909773c4933c96745ae30

SHA1
a971e72a7e6e28cb533054f5147e89739018d669

SHA256
93695d58c1c8cb165aab05fd264895a1c6ef981901813cf1a8999c26e73f5b04

SHA512
be859231c281728d48d4f816daf067660a334b482e13375700e40bd4b8d0825baf7e0c88a8ad38e667c96ad1a3c10fc75d1b108d8221dfa91c2cecca09071e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kwwe.exe

Filesize
201KB

MD5
e791d0c45c0ff148456ef0c7db851f41

SHA1
218aae15808003ccc195f16e809aae04ba01a67e

SHA256
2fd8f481427d39eee463844daa0161aeb75d6bb76098d19cddddf34dd341a78b

SHA512
04dd6c112a126bf1a85f011b4f9f7f9e7554a1b6a493fced9099ae1dc352d762e501911d88e1f77d9774baefdacd7ba95df96a57f4fc03f8c0f8697be61e2525

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lwwy.exe

Filesize
209KB

MD5
31e02fd08e454b5f6552b58435b67b40

SHA1
c13a063c7b4048dd1ecb7888da211a53792d4acd

SHA256
a325541df0eadb1d1e3c86cfcb1d422c568573069cd53de265c502248d80e3ea

SHA512
fc71cd351aed09afeda5a7d6710dddd217754dde875a44e243ff471baab833e1bf862a64151f805348842be02fe0e02bbc7df09a94d9a1a46c9cf761d104ce3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQcS.exe

Filesize
203KB

MD5
062620eb04ffa329d4ae13ff5c9c238d

SHA1
f835bbc9b12f8c9d4b80e957637a1d4fad6a25b3

SHA256
45af9d2996b235e7d0dfe089685308930e313af50c794ef92e6ae40fbc76d8f7

SHA512
5e5eae4a450917b28ae62b7a968f8e948574efd0852428425bb724dde328c292391c8730da5acb32a172e49a29bf5ea98f353b2529133690787982a96bb59a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoIw.exe

Filesize
198KB

MD5
3a6b5687c0d42dde34b925c602e30048

SHA1
b2fa371098d1c912fdf515976e5239cca08b0a9e

SHA256
74a4060fc9b0723bc074947876cdad47f2fef316f537473eb4ecc1363ec42245

SHA512
4a9445dffcf81a9c7ddbee0bfbcff993f5021b989ef8d02190fca4dc5d25e9d080a4d88e5950a49c5d5e10b7a4c3230f72182545e5139adc3eb926495cda60a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkYi.exe

Filesize
213KB

MD5
d45c0619564d4c5f474987972420f23b

SHA1
808d3a212e93c8ea0184811a00517a51afa247f0

SHA256
69485d4c271ee1cbdc285051a3ba5d284bb9e707948c6b75443ea6ae0e7a7d58

SHA512
27114e6de581d5a3903c8adb455bb08812102e829e24c4dabbef420dd6856cbc3c9f59ef3df5cc14ba6040458bb0b4c1a1beb4f2daece27a8dafae8c73ec6d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAMQ.exe

Filesize
209KB

MD5
4e266d91001ea35806c6d02bd2d9af0d

SHA1
00a389935591f151f8e9ef881204b5d670cf649b

SHA256
48ef0d46be0c353e3aed602b35b48a6f1d589b65b33a643b386071bbfaaad1a7

SHA512
291d6119213ac40f5ae7e628f0c72922d05fba8451ad05645ed3e3ecb27f47ca37175d8fb5efdc9d5f5fc1e1593f922e6c61e71cd0950daef32a4aee3c00cf1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMoU.exe

Filesize
198KB

MD5
b4057fa784f3b8e15713ae77c052e4cc

SHA1
6f808b8f2018896c52b03a996d30c84d6eac71ad

SHA256
be30ed2503762150da0b39a7dfb87b03e1e489143673f705c27682324c2b98f9

SHA512
c4964f70df8ff0a284d6fafb39e957041a01edfa1d07ce6f1c3b5b77db983624d036609c3d077873dcec5bd226ed78d5fa3d3c7a80c34c432da69c7eedcbb073

Download Submit
C:\Users\Admin\AppData\Local\Temp\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIMq.exe

Filesize
192KB

MD5
5210a0983b755cf71df4368d2748a52c

SHA1
a063054154c79f64833cbc88365aa09da8cc145c

SHA256
b83340745e916918986d55c56a63d19b12a85d9340094008acc0472a8d9f269d

SHA512
27fbf06a989d0e43946b886463be4ea62e33be30de51d8d955266a5e7ad424996ba74ad2e4e6681a1165a652bce9a94ddbabcd64dc882eda37768af680b6a58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUso.exe

Filesize
483KB

MD5
93643fb230bd95eb1cdcfa6547609009

SHA1
e8d2941646ad1903bc538877787334f18f872768

SHA256
d0916147960a8a0e2ff097b91edfa0dfba0410b61ca9bb24841346ca29e8da47

SHA512
2014be74474324ab60571f6fe61eb4c3f5532d6d9476bad9b5173b57f720f9b0fb14baddda00c32e91e5037b7019f37bd08c9e25c98f42da022d749dc0cbc474

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQsU.exe

Filesize
234KB

MD5
7180c572c0808201d7fd5c645f441ec4

SHA1
7848899846df1894fbc3e995708c8f9c101b90c9

SHA256
9a1f9b4be516bcb54bc2cde830110375ef2e7508ef6a87d60380b265ce30ea89

SHA512
090c9830ac0bd2c9cb9108cdd81869b92eb98f57abcd0c3ba1531fa377d3b255d369cdaa701ee85e82397faf59ac311cd949cafddddc9efba0175261151e4340

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQsW.exe

Filesize
190KB

MD5
bffc5650b432acf91d7892f43efe2bc4

SHA1
f2bd87f9b9f9db23007fbc8886a767a52659e093

SHA256
543813ad348656a71b1ae8d36cde7b7868b840b6fdfc56887055b8c834ba6e92

SHA512
3c10fc5f8a38f356f9202d41b6e19cf1180b254634e29c0c73e89c67de3026e3a550768d80572e03a35e6b597bd8cd6d4ff3effa8a1e2bd3c0949030f42c223d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcMc.exe

Filesize
203KB

MD5
2683a391b751ccee70892d6d4645ad7d

SHA1
4f371825523b22b4912df34fa6e721d1700399e1

SHA256
1c61f5289746f6340e768612ae03a43bf69553daf5dd3effcfbd58fe3d2779fc

SHA512
d0ac743bf750f96364d72a55849bf4f2b466590e0a5f94c22553128dc180fd6e3f50ec0681fc9f9563fd2a574141fbe38f6d5e7f0de3e4e47da7e9601405a2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQkk.exe

Filesize
195KB

MD5
157348a1740dfdee92f0b7234a134d37

SHA1
37aa6aa593384ed1f09cbc79a567cf2589671d11

SHA256
b1fadf546921d867b1123f0b52160865a8498e57b0db2a07713cfa52a0f82d5f

SHA512
b2e7ee58d942c5dadf8c76f566246c19f52d68dece6f68d5f72b2dcc54509a138af8280df3c3db8fa3ff78f36e16a58ec89b7179ac016b86270ce3db7e8c5c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\SskE.exe

Filesize
199KB

MD5
ebdb4e33130c896dc7f26f6259750845

SHA1
639377097aae2f2ea7d425c54261f090798e95e5

SHA256
61ac3d0a7081de3e98f7f8ba3f261f0bed2684586e31dea170873f3e3d7be691

SHA512
36b39fdae3847e076344f2972baa59835847ed73647cd84a4c82079d4975916598334b011da56c7a5ad25f1a08d0935c553e5d735a3e31cb1d5b70609b7cb70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TekwEYsE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcm.exe

Filesize
204KB

MD5
7ab32b7103cac9b6ddafe8246eb5aba9

SHA1
3cb945a5d5649e774059a0f626f92cfe909b06e8

SHA256
3fbd18a74f57e2b2f12d86a3660ebf5fcca49e0ade9b880fa71fcdcc799c4545

SHA512
f3a5c9a225f423fb31a00044ff1c221f2646a98849d08e00611c7b24e826693857323eb37c2f20bc35094cb5f5306f65ba64148c45eb9f0f7bdfe23dcd5bbeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucwy.exe

Filesize
194KB

MD5
92b29912812b6ccb4bfece8dd6daf112

SHA1
d8cea13bd4c7a8b78cd9da69ab997cb9da3acb26

SHA256
366f69d6aae3d2eece1018c9942282a8882f299868eade79baf08836cabfd67c

SHA512
301497f6f1734a4d6171ce33464c7eabb9c58e745297aa1a5e27c786a004678e1fa54636764663644eae79c554220b7cbe12af53a355737fdb17c936feaf20ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vssi.exe

Filesize
194KB

MD5
74f53cccfae446a0502ee87117a794b1

SHA1
65227eec46cf43d31450345b4da98cf4cfdd1110

SHA256
88fc86b3ef28107630def1a8e757f8d8cb76c6512108b814d7b48032fcaa101e

SHA512
99b5e0811a610468603e932121a0751cf8a5f723f77d8013d7979329720e48aa1c02d8d8d2c9e4c1f642bd097ddbe27c48d682c4d279473294d6b72c59d5a2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAQQ.exe

Filesize
206KB

MD5
1e5ff0ed4cb3cdbc1b06913cbb507fb8

SHA1
b6a6018aa0dd3f6e568afbd0563920ad0cc86ded

SHA256
0909725045fb6f0d5e4f92ae9b7513263731467b13af77162ed5eaa49b1e7f0c

SHA512
b57290adc2757f91f23396c2d34dcd6b372066c2a5dda0269aa5048958d46fda19b5fe5fc8dc7205565af279543c3b27998f34b9d0172619af02a77fc54739c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAsk.exe

Filesize
198KB

MD5
c5c3fe00917d486eff6e140647c07347

SHA1
01b0da42ac322296db9a0033494b3b776520ff57

SHA256
41b01fafe9eae46db2a027afcd8f4d155d84c423b5e82e1f82f94e26f26bf269

SHA512
3e8a8c046b1aae7ecfa2151cccb37d24b1752ba02411503ee1d56d4b6ed6e6e88df003b0bf6fb2fa6b7b71dcbe9b9b1ddf0cb0b2168690a79eab6f7121ef950e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wosg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMMA.exe

Filesize
422KB

MD5
c46bf920531a6713f9b786c3745a9b46

SHA1
0dfcd059885b153435eed39a7cf48e8ffbf80dcc

SHA256
33d00156fed637cf4c5dfcd09478911fa22ad62503c53019744612781971134e

SHA512
f9412f12997e006837ca3e0d15833a28d587ca0bc55e70a1aea05a3cb9b1ac7d587696d1660710a6661fb4be21c1578a1f0adf45b2a9467c41734c4abf01ff25

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcQU.exe

Filesize
204KB

MD5
8edb6610a4d5d183e81213cf0c086f86

SHA1
c5e23799ee59576a0b88856580da3dce14b4bb48

SHA256
898e110fd505d64eed23b9233db90e4b4c0060f47772a4346275b479d12853b9

SHA512
568abd5d2545095daaaccdfea595e320598f44442f8843fea0f48e8cdd7ef056987ceb9328825f882aafaaba415a988d80e72b3ad9863326c57b1d8de4f0d141

Download Submit
C:\Users\Admin\AppData\Local\Temp\XccQ.exe

Filesize
210KB

MD5
a0f65b08296955bbc32b6b6826e34ad1

SHA1
17749b54a02bfed5a3c0d6f0c80fbe83943c202e

SHA256
63d7ec0ca27b576eb433d949809cbf77095a2d2329e2feb315e59510e6c6e46e

SHA512
795fcb17f7d04389c597d127a57bf1fea5017d3284b1a3c5ac8fa1a9f9ed61984b8b248b915c4811cb9833c5fbbffcc34e34851f0ebacfb21197ada56cbb270d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIw.exe

Filesize
203KB

MD5
f5e232d2d199153468c8ca2dfc9ca725

SHA1
a8fb1bb2a40ff59661488285ba611387f400ca3a

SHA256
7fc02cfa657b817c080917e3cd5cc80fbb5e71bfebe1e77bebbf7e85da08aa15

SHA512
4328d8d40958ec305062801b45b43949b60d579541790df81484cd3ba6be8d723e8915a7eca4ce4e897c5cc765e53771fee62205d0944861f1844fe3f7fb0a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAcu.exe

Filesize
830KB

MD5
cf4f7b8cb591f6f9f86cfe42cebe282b

SHA1
e17839b80364b97747159666e1c4f1f4e9e9305c

SHA256
9d3abb7d6994d33dbc3e58c167c5b18ca1b516c789d0fc4818586a0fe34f3e23

SHA512
a2c9312033bc0397d574b1812e27d1c50e84bd9a0a7efc33d3bee2ec3333e095ba1b50611a19a2577560f2c93b1c5387dee60e25ff90b354310c9a704415ba9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYIm.exe

Filesize
307KB

MD5
43da0db6a43984542d72aa909f3da151

SHA1
36cda093c4f7af7fdc7906318926b86dcd42d4b2

SHA256
5566631c30892fe1260151652d5f9e2a7df08a3ab3350531e743cba1f33ea5c9

SHA512
b64bc605edb0295b562d689278a87079381072e27d16b34d2342d4836efec2153bfaf5c2467aa5e8d25565ed54c7c4b38ffdba4204b74a70d290b0f329e0bfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMMK.exe

Filesize
311KB

MD5
f46afc5a86a6d46e67683a72966bd2d7

SHA1
a2908d6ed1ae7318a1c004909a8946a14db3caeb

SHA256
57436f53f935ea6bca49064eda24e7e2a91a903a702b8384220eb0817a445de7

SHA512
0c25ac8f14d99ea6184b435db81eb1d0457237ff77094c519ea0ab2e3e98550163a262fde7b9584e90a8790292fbb0f3f599beb4398b6a00092a3e1793852d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgAi.exe

Filesize
783KB

MD5
c49f9d3aebcfd67de4ed48ab08632592

SHA1
73c8f277777ca3b3402746d0ca544957b2846cbb

SHA256
828e56c7e50feec253f69f5599a5dbd0f8f05d703c5ede2d7e5da8ab4d538115

SHA512
72fec644efb10bf68e966ccfd9282759ae7f643464ebd2e8134c1d5607dd72aeedf64dde1d59d215f441f7625eb0f92dca0e82be3e21f3082567eaaf8280fc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\bggs.exe

Filesize
235KB

MD5
12d5224ecaa43300ad4c36f58abe3c31

SHA1
1ba6bd07e99eef2de5c79cacbc60aed379d2cd9c

SHA256
4f98877ffe5e48195d36edb17e9b4931b7071ce9d5b66095bb9de96d2fcab33c

SHA512
e7ccbc65725708ce7e6845bcfcbc24d5afe8fb8ba0944643f314b1c8790ae0bd5ffd8827cd3e42b7ff470576bbdd2c60ab51489617636f17cb9f17c730ea2021

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgsa.exe

Filesize
195KB

MD5
98a313f695a427634ad8afb104af74be

SHA1
d8d5b7dfae09bad7820a97e7ce6108bebb541281

SHA256
e50f80ad2dba052e1974faf7ad81d93593df633699332a46ec75093ebbfa9439

SHA512
21cfcf7b76a60dc58310d03084839af21567897e7c34b4419fbcac16dc5610cf43625b801c628bb4f47ed80dca1ba24c07406bd4c3bf1fa9c3bd346f60e40227

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMk.exe

Filesize
190KB

MD5
152c926ff8ba7ab4a48d3dcd1d1471ec

SHA1
b22205f33ead46195aac1127ba729a2cf4190c2f

SHA256
21ca9c93cffc058f34c92fee40f17a67988c7db0aac95eb079d3368f204ebcf7

SHA512
8fa90812a7ae7a9856ebbfa32860ccae8adc1211df83437ad7982338fb5ef97bf489c1ca80c9b9e6b220b10d6441ee42c0f77dbc81d8020b5f93635fdd2f3488

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAgw.exe

Filesize
189KB

MD5
e32baa08aee76aae665b165c7ae0c78c

SHA1
b7ebe16fbe97c4662f58bd24b8d3270245bec268

SHA256
6b17cf5dba565925424c91ab126760d3ee64d644d56b3c002bcf0bf3a89306bc

SHA512
44e3c36d073496b74d9593d684f8409f30403e5dbfd1711f8714a5b11bf86ec8814979505926264f5cba96e98ed5428f20b52eefc939c39e1b62c1d21602b164

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwkw.exe

Filesize
720KB

MD5
43c4c150fd4a721e5806ff2ddd8c51bc

SHA1
5427db0a96dd185faf8f3afa61dec2523dbd300d

SHA256
2b17734e3247b9f5852a362037d96183d0d73c2d90bfc37b6bdc706ffb3ed939

SHA512
c4e9fc05659121f3fcf1238aeade56546824ca23b8df7d35ecb5e4cfbd944885a35953800ef30322c138896147abd19646c1724cbaa93253b53293625ce00666

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUgI.exe

Filesize
794KB

MD5
3d67c9e1970debb40d6a726413406dc8

SHA1
0d6fa3eb86d950194691bd1dd24b46a6e901d700

SHA256
2a4eb1bfd7da650c459598854a9effb71b05733d3e1ddcd59f481f7515844da6

SHA512
2e0fb0a8c7c2fdd2d24bb4c2d4c1f1879503d7b77bf5786b8bcf8638deecdebd281721b2db8222af4a63a1fe41d014c3de6b36c908ba97aa4e167b322a22daba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYAo.exe

Filesize
791KB

MD5
42a42ae7c816c4b396f001b74b434939

SHA1
2c6c22de3c104a1cf8c6c726e97ed9d4c7756fba

SHA256
c76256164c8e297f8ca89ef30554f6bc04301cfede3f9affb7caadcdc2387159

SHA512
5ff53f4ede85560f17e45c3ef2eaf46a5b2873580ec0b933624d27ffc036c5d18d7a1e688ed99143d7ba40ca9cfc1ec3d640820d760b8e5ec4f61efb3a5f784a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gccu.exe

Filesize
194KB

MD5
b8e32f0e553884d2621b95af0d15f190

SHA1
6dffc1bd3363e083a835dbca639dec8f8dff457f

SHA256
14820a9d847b36d099381238ab3d7cfc3009804a8263af988578be887715eb76

SHA512
4adf515a5f4d6872bcfd82ead420333226a1903e1fd008a27fd3e4b05aa4fa4d26af9b9c2ed2399665fb451388c11b169e64cde67ed2e8375a0aaa1906e67c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggMQ.exe

Filesize
639KB

MD5
9f2c5d2e68fd305afee06ecab902bc14

SHA1
af6805035e0757d3d48dacc246ce8a12df118b7c

SHA256
17dbade04b3eaeea4986799354a9ae8054ef7d4007b34f4ac57169f7207b66fb

SHA512
e732f81278cca2adb3fb0c3dba4b9e785a9cbcc9dc76cf90182d815d469b80ea28381bfb8633848efa02df90d4b9fa1f8b83b577dd5d7187ecfd43ae61fbe847

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscQ.exe

Filesize
187KB

MD5
a32e70bca5de8f03639c485f3ee5e8e9

SHA1
41c0d29a0c400605af52993bcdc8a457695fa227

SHA256
b5a8718536a8d6d52dccada0a182479ea86c89465f4d57c9b0461141b720a698

SHA512
4f441a1ebec1e2fbb2bca975d4b5d8d47cf01d7bbd0fcd3369dca3d9be4729325eb7c93ee4ad396042b863a05dc9e8d6ef37acae9b9ef682870fbb8520a34c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAkU.exe

Filesize
203KB

MD5
43128f71c9aac66d336b7cf7a75a54d4

SHA1
d813d788109f2cb9e5d6d116ff0b0c892633e63f

SHA256
0139381cc3fc7d5ad8c37c6fe2de47f8717637bfcd14bf8ce98a34492727d764

SHA512
4edaec8fe12fa945c8006f2980ee140c9c757bb80eb5b65988939f803aa0d52d4bba33443064da3e582d3fc50c6261fee915d9605b5c2443621a7f94ef44d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkQg.exe

Filesize
253KB

MD5
058094b5ab9cbab556dbc3fa074a52b8

SHA1
aa80fb2b18572be166bcb9a90941d7b711bfda1f

SHA256
fdaaef466bf20996d76ee8307d92113b2c731c57bef64640952895f993eebcdc

SHA512
69c5d80a2d560d7a701f3212c4b0b45520afd82f0dba7375ea4297e8942b7cb5e89006bb894123798e316c345ffca94fa4d12500b24a0869f175a8f8823059af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsgi.exe

Filesize
634KB

MD5
2c95f7b144ca7b9ab8d7b438d8b3a5d4

SHA1
186c5f5248ed0a78c003ae0e585d62cfad4fc921

SHA256
1d83e115a0891b5c1306b58cc1771fe520677a3336fb6ed32fbcfd21ecd263a8

SHA512
898f6d630da4b40c47b735aec469acda13680fc79f868cd994397bcaa81fd462ff53d3eae043d860c5d7a31e15da22988dc15db0122d84991bd70ee512f0fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsM.exe

Filesize
192KB

MD5
ee2a9941ab3084a359e4d1ea11088933

SHA1
bc7206a2066cfc3448228c4407e2541238fd1f34

SHA256
03397fad7d471a3ae4d21065f8225415aa3af51035fc9892ea624a3fc131d94f

SHA512
9fff9bb57e9f9da6c370e89c87c18900208942e46c627f03acd173a72515bc698728da3d4b2c80bdfe8b1914eb04af454684f973f65d413881e4622396eda635

Download Submit
C:\Users\Admin\AppData\Local\Temp\jMcc.exe

Filesize
229KB

MD5
01390437335b8b9ecf6d41b44ce57fc8

SHA1
c3bda9c5d983cdc7c4b09070c930e8517e1536d0

SHA256
e5141b1ac0a5f729269ae26fd1eeb910d67c4a712e1db0f051af7ac46b5a0c04

SHA512
0781d8abffe9bca3deb1e4a937c99f66389075402258af9066e24616da95ac0d09d986e82deb2ae2c3889931681e5da0b696c12e5b5d48b6f9daa5d14c53ae79

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQQs.exe

Filesize
1.1MB

MD5
dc8d1d9d0baef3434645bf1339f54505

SHA1
9c8ab3918dede4078e6db05e0737775b62a28859

SHA256
843d674c3e7d5346fd2201fa173590f6416c5ddff439b3a460c51290d8707b88

SHA512
20a12bc579a53dc665b348d1d0a9121a795b2fda75f75b17acbf2ba3db40c934382e881fbddc17e5e48ac376a0cf2ca56c6be3e221ba341577ecb8852788f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUkM.exe

Filesize
198KB

MD5
10e60f0604bb6780ec3bf407aa6bc43b

SHA1
b7e9bfe46a83d2130b344f9a08fd96ffcf9f0c96

SHA256
78fef2aa50479f4759dc7f13e32b47c2b50a448c5bcd76cedaa59bce8d5d1cb0

SHA512
f0a066cc2d0f0f862da8483b6065f7ca52cf17151e63399ac74aa1fbba51085753d5d458f4bd8dc0944a0ffad258a8ae543c9c87eebbfd88efc3ded081f8ded0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkYI.exe

Filesize
1.1MB

MD5
afb0dff8357c0a4f43e3041b6e87f815

SHA1
3be9679bd95d3163ac1f82a6e2d4d51a5d5397ba

SHA256
79bf8964b7da50e8b93a96b5823b71f515efc4c33195b9d307944143804b70c5

SHA512
ddcb0690f0584e85f47be0da95e2bea41dffc760e942285df1917e7e68c14f0522af872195dbd086b0f2ea28fe3a86ed4410b85a59397241b7e21eda10fb96eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEgY.exe

Filesize
204KB

MD5
7273bd8dc61f7f9a82614078f1e5964e

SHA1
c953a2ffab3d70b66c75cd8c7f1c4151fc2cfe7a

SHA256
b5c2bb0814266d2a55ae52516860156aa6584d2deeff0f60aa106670a8a8c9e9

SHA512
ad3ed1e63de904c2b7b18bf76ed88c9aa5e352dc67457f51909d3b7a5f2d615bd9ca78f12189aff0285c7aa0b6feb294784db386f4619f28d2b936bd33de40c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYQc.exe

Filesize
183KB

MD5
e8681c20da9b37fe4e2da84232644240

SHA1
b5eb8a8272bde7c683afec5bbb2c84e2e3106fea

SHA256
df59ce4a5caf1264e2a21112fd9bb038b141d1cbc8765abe098caa6bd1e3179d

SHA512
d9ac7745c50c8d69085d7c46c1027ddeb6d33ec02450d13330a3e17a8c8afa83ad42a18c48df9dba3ea5cccda0e2f4b4456a76c5f00186adfa6a25430a3c80a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgcA.exe

Filesize
795KB

MD5
001f41026c72c304e4f5f305f8366404

SHA1
dc672f978e592570fe82097bc4b2bd5494512c3d

SHA256
603789c67202c08c359a68b4b892089fb77f8a4769242be2bc6cb1d68eceb222

SHA512
0befbcd14c8a0fcfe324a521caae9c225a1b37847f5dc11f33e2b38d5b72b67bf4a8e80c63d310789132c2e2189b658c41bf346f5ee6fd6e4510af8c822c2e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwwq.exe

Filesize
203KB

MD5
8ead085817d2b525ae6c99479bff7124

SHA1
d4173cb4c4e64863df26f34cfe737a93e7473075

SHA256
f9d846a09b6cde38f27612ca3f71298236aab78f0feb2d495e73261fe97fa0fb

SHA512
eace7695ae0c444c8925201b1adef3923e8659b2a3c28f1684deceeee82f13587d14016d724bf1901f58ca0689f67464bb313d7d075e3fa2967547f82c76aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMIs.exe

Filesize
829KB

MD5
b2e4cc3a89204fbc0a911bee8bfec020

SHA1
be5695c6891eeab6fd96e4020e48aa947a18c13b

SHA256
5e3db4e22bafd9b840961f77b31afd11c27f5913075a3f0924725b0e2ac5a899

SHA512
477292a4ff126aa08d3689218b9fc4a8605e8cd15e496fb90b5bd5e1fd0c6f3496716edf5c21df85b615530b07ac9a19976f6d6e1451b31b6b84b7a16e0147ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMgy.exe

Filesize
790KB

MD5
8e80ed2fdf5bd4c643786e3eea7b7f27

SHA1
78a2483378f506a9d850601d1383119a1027b347

SHA256
01ad0c02e50cc05384c78282583e2e5e3ee2c5b957323a90a098959723a0e4a8

SHA512
c076a7f149a1a292d3e9640d2c15fa3c08bd6ae41efeb0ce5e1e4e0e5aba2a4485c10cdb9ebffd8c614c63f7e51142556a7e462f4471eac1b21c8d36c7066708

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcQI.exe

Filesize
1.8MB

MD5
dc0352b6f7ade0cc07c3afcdf8c984fc

SHA1
926d312a1aab0ae05b0d7efa6610f238388025a7

SHA256
cceca707356e263fb9f05ce2abdd61c15ca1304b5f880b2cc4de80babcb10b1f

SHA512
8fa1051bdae1c6e2937ad18b61fdd6fa15bc5f5dc7522de1998794b29be9b2d4c368e70cb9c07f1a74a9132ec6b902a078ce3d0ad5ff641a84277b2bbdd4ccf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsEK.exe

Filesize
658KB

MD5
154274551ef472d13c6efd024c14fafd

SHA1
f5ea50bc943279cd688f198dcdf3b1e58e90ec63

SHA256
3a11e21daf56786ea8fd8dc1efbe38c0ace8e1fb95e646d0349d97b1524dc7ed

SHA512
7734ee43bbd00269df410c7de4d0a9f7e3695f939127e9e7c3d5017dd5f9b2f2e2c3d91c1695da618db25690f327bb80fe372ec643e9fc21ba78997c34d85cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsgw.exe

Filesize
655KB

MD5
60b75ee9c79a4bffaed0728e35e4d523

SHA1
2ccc824e9e080ee6bbac5388f06516d21265626f

SHA256
00201947bcf4fc70d683cf379176e38c7e8957fd1ae040baeb168832256ed9b0

SHA512
046d6cd634ceb0e820348efd2b93e42106b076a144c1396a29c94170ac8ca6635b43e9ef1c58382b179dcb93a2802f3af1b6bb6c0e326d24ad3ed49794e1e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAYs.exe

Filesize
185KB

MD5
8a3b9811f6115f99d816f64847474122

SHA1
6d669fed347e1914eeb967c47b78797ff1f88911

SHA256
6a7c1a26f8d0a1d52197d4349fa1ec102011f33b6ac44a75baf0e9f959519412

SHA512
021adc4e68758b5de4448381a18d3107095048ffecc39d5c95798ae91cd3c6036cb34aa5562bc581437e0f7fbab030e420d1a58960f73ef56759f7e1e143d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgW.exe

Filesize
186KB

MD5
5fda0b8418598a3687fb7f33149a8d59

SHA1
53f77c6a37c996bf0a66af8904487a31abe94c2e

SHA256
cfd2c58b0886e32dc125865fd170cae223adf2ab1c7e527311eb5bc0775acc51

SHA512
9deb401754b08f95cdc8c17dde60b647320e96feac3013f93c658fe46d13cefc1feeda3a733798ed082fd3280300a4ffd0e5f1b99d64f8ed4eeb60154bae1594

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIkm.exe

Filesize
209KB

MD5
8e6bda52e11d91884991d7deb258e90a

SHA1
e8ae69ba5186ea03fb98cd4749ab63736ee32cbd

SHA256
84b031bcbdcb742812bb1a0c25e7c6a932f86fa3c219997a7809e7a88f7be7b2

SHA512
c0b77f506809ccdcee00fe40bb65e647505f200658430936b3fee526160cfdfc3a0c85e15121062c6eba5c8db6a20af196044aaa1f68f245c6345b5994cb204b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngAm.exe

Filesize
963KB

MD5
9498e980f6a2f751fb56e23beeb4dc11

SHA1
c75ac22172dd7a7558f16275be28cd3dc4637950

SHA256
45ac9143305eb2e890239e19be2010f6e5d489ef35c9c42736ce22f2cee6baad

SHA512
db182983ec2c07a537f4ec0b78c6032e1883d276427f121283adf4fd6e740659d6f9dbefd58d5c0734db3f576dbc1e7c220f858334050eca514f9b38b1bf178e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkUc.exe

Filesize
189KB

MD5
a07bdab480d835a5e5819959ab97e6e3

SHA1
9c9428c165ad7867807e03eb7aeae40a3d1a7374

SHA256
a2cdb1c774c0821298e5e5f005f4c90b7fcef8311e76ae6c47c753c534270246

SHA512
da523a50005f1d495836532cfbfb847d80e528917b794fc37c7efebbf99e979b8158a97f9cf6172e6448fd9bb5a497b861790342ed66d44b136ae35d7d47af0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEE.exe

Filesize
440KB

MD5
52a79824090efdbe0ae346e0a9b0b7f9

SHA1
905c65a0c9306706234dcdff958d99d1b4e3a986

SHA256
b603f09bd505b71bde2683d3e81fc8138c40ddc5833b8c26fc95709a35336b02

SHA512
0d750b3caff32af55037666f1e8b66bdb9d4b48e49a0c5ad1944d6faf93b6278d5704c2a9f8f8aa3ab50ad643314ac0519e335f2ae12630b06af298df1597a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMoa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQQa.exe

Filesize
200KB

MD5
e5d24692eb7d8f366512e0f9da71f583

SHA1
7e69454d836e9f5926f2c4dfe51f57228e305efc

SHA256
f69f961cf16a419545034ac8b75e2b6d1b876159b3ccad8fae569ec55af5c269

SHA512
3627adef0a55c0a609b3e2dcbf3ce29f1e72d4a843ad54bd73e6a3f90b0dcd72090e4f47bebb3749acea1fb8276417eda4ace0fb77fa5647375b43edb1d2ad6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIo.exe

Filesize
197KB

MD5
e79a3a60e89e5b75b9433ed9773a5ed5

SHA1
5fb7d8228b920b874357bd987cb81812ac5e1f48

SHA256
0ff19c7d18eddab9bc508efaf6d81365eb03b432a5242758f0f5090165634fd7

SHA512
eeab5cfe14824cf83808423fda251b2dc34959cece5c1615af9be3241f4cb2e043fdeacaf90e032ca534d3a09cc026f1c63a7d51b30c874b035af48b7eea0863

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogUo.exe

Filesize
198KB

MD5
75678c0b8a33ae886a09281fedadde58

SHA1
e633104542595d98a3da781b5b865a679aa0fcfb

SHA256
57bea840cd806815493bc315092e4e5201f10604ffb0bb41e69119787458189b

SHA512
e059395019c74f74cdfd6b52742e387d8ef2c9185ff763f607b282261aaa762ca203aaca780454e4e530966687ad61bdf4ffb45b51ace0b28f07450f2d86b9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMO.exe

Filesize
196KB

MD5
d09a026f18d800c70c9b359cc7f6e7b8

SHA1
d2e3fa39cd811f720f7c975564e34531954b8f0f

SHA256
5c1e77bf2d19e8711a889e369cc1b6d581bdb4e0792ca77763a296a03c1dbe8d

SHA512
5f1418d26f76f32557278363dd1391ea5fbbaf95f67e65c27d220276e771b362e51c0491d0321bc951de935b00f64a26d5f25acb8cddbb853172ade9beeeb3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMAO.exe

Filesize
188KB

MD5
4ca46dfc14981cb8f6673405c220bf08

SHA1
88bcf82a8e166b21a83f78139db60e4e7c48e000

SHA256
00dadeb941570dfd56e37873b05d51ff062c9aac8f8bd45d4eaa813246d658b9

SHA512
258b0e098e697cc8c4cd922a95d103d1dfd05119cf1941b513c5280398e512d4875f3836be3895c84e09b18b4671e41af0240d832f767b457501c13ba828a967

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIUQ.exe

Filesize
970KB

MD5
da6f0a5c2d9cf41c141c70486e5cca77

SHA1
38e67549e6954866333e0abb78beae684bf05c4f

SHA256
8a410828c32c2e927e3a07e4c004e5b36d6713cad054a6ee4bfbd58c2e018607

SHA512
0ee3a0e8ffe672cccd0198e4de885b8f240da003a76a65e7c2132048c43ae0c2ca5df2da5f416198f721669e460dbc5157ba8b89fce2003c97856291a0df1f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQUu.exe

Filesize
187KB

MD5
538c10ac5c5a114079b54acff203b7cf

SHA1
b2379639a9d013dcfeb192756b932f8a8837be7b

SHA256
495ac635f5db0b0c01d3e55284f1264ba528f244192a425845c7f90167c1e341

SHA512
d0e84545e609a91740b25fb5cd64f191c47b5ad7eeb95954a09a8b907dee2ae4949533e33852cbf70fa2c510755df078982897d649f7417dfdc27b359b874d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAEC.exe

Filesize
186KB

MD5
dab8d8e15a21ba512f99e8045a07c189

SHA1
ac22ae267c255e57b44492817979da8a9a39ed8b

SHA256
d8a09fcd5ef08234a62678959cc48004b32c298c714951a5f2d4d6953f2ca096

SHA512
0fefa6eb74f4ccf09da214ea01c900ce894445d90d76f8436642ace35fa2a5cff629e1c10cdd335f10a8ec0f6dc10108dd1c3a31cfe2540e4239da9b92121105

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUYo.exe

Filesize
204KB

MD5
83c57f3255fa3a244abefbf36d6cdb3b

SHA1
95574b3c0a78c7280cbc96e7b7d884dbf95da8e0

SHA256
8c665b3ff03af606add409a86a05e1e7599f339ceadf8e575ce923101ae90ecc

SHA512
9f7e41a079127dc93548b3a6a49bc6cb63ac7dd96e69cd1c95a651ca24b8644752583f9142ebe3442d74ff4f15ad0117ea48a970557c107339332942dacd7f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucca.exe

Filesize
182KB

MD5
11e13b57078b29cee6afa8d9a2e0e3f5

SHA1
f96edb1609028f6c0eaf471e64ece631170cc916

SHA256
6bc525ce49963969cbbfe474fa37ee7e5ec4b4e54550fa30c2cf6bee4d7d3b44

SHA512
5aa4d20de075b6d42c762664c3c7555f3fb5c77ced1fa74720b25cf35a1f44f35193ca7c534ae21148cead7a1c132f74dfdb4ce5901ec6bbf15ca618427c63c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uosg.exe

Filesize
322KB

MD5
76e89bbfd131efcd5dea63ca91842c40

SHA1
cce6c3e053b9deed26b77b27068007474b178ed2

SHA256
85587973d9734b0031dc1b2bc2b846fecbdc225445bb46ef7a08b0c17a03b4fa

SHA512
64d92dc06995383baeb03b88ebe4593cc2116649150c07b93821a411abb0d80ac8706b5236b828a2690ada424efff0246018315a6b7d2caf5eae3d6c776d0550

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkQs.exe

Filesize
1.2MB

MD5
fbbe1df87f9bc9dd030a39095cf9c646

SHA1
0cfbe9df1abc88c685bf171e2510b5c963a5797a

SHA256
2dceff1fd4efa8689d981dd997ccbaadd0ef26d951372eb4095e44a6c52e4028

SHA512
d7b13dbac26f04cfefb7fb949b1ca8653d4e867ad1c3e221cf1b2aa052c8c0cf6bd979dac83ed9895e482874c9e4fd1e1599d94a664ed57df79db8d83380ab00

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIgI.exe

Filesize
195KB

MD5
1ecc24074013aef1cd749a6903ac51fb

SHA1
8c3dab41e9da2a8b2e6c7f89eb0186a54e898e8f

SHA256
ab0610b10f412220b84d8173da2a74423196403444ee43b34c2512fc0e390a2d

SHA512
4dc37c3c3191064be8078ae3da5b2085bc70be0c63f028b7b309a939bb574dc057c4b8096e596c7d36bc182ae78bb72d3b464122c4917efa5237bb06a90a1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkUK.exe

Filesize
205KB

MD5
5040d0f1602a3c48bf8a4f00aa22f8be

SHA1
1814ae0298569da63669c743a291ea88d71de215

SHA256
f074b143e56fa1192cc773ad6aa7758af2dd8146d0622e08aa393ef2f543230e

SHA512
f7d617e541ee039e2041cee881086fddc08b4274d4646a159fb06d94e09a7a2daa81c75e6ef42f807c2fad6e9d1fd5014100c8309a0f76db2f0a6699248dca0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgMM.exe

Filesize
191KB

MD5
a5449971062dbf303e610ab6b28671d3

SHA1
b360d8f3db65abc5d885aafb490766d946387826

SHA256
afbd81088990788fe96ade95a5d74bf2ae437f6d48d92c2f9414c2fe96b3514b

SHA512
fed1322977a9ff6232fb0a63323bb2676371cc0bc4694a72d373631d1674669f880dbf73fc906558effc68ddf29719585012cbb76d6ebb8d8db5ea955c0561d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xowC.exe

Filesize
203KB

MD5
9e919d0557efc5cc942a9af44825d3c9

SHA1
17a80ce9e1be0de6d838959b598aee211fc42999

SHA256
32dba45e547e451054aa260618f337b8ba0a9395b015856a4e49201e130873e6

SHA512
6f789de9537a401f168af03fc3904939d282ac1a3149fc097e98d303fce4268b9b54732b599f20ba95f0a3d7345ef2502720d21fd571fe00423d390ee04da4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUUe.exe

Filesize
195KB

MD5
39eecfc1d61e23ee675980a810a5666d

SHA1
38055f33650086e5389bcb4a35deac62a3b1be79

SHA256
cccbb379f43822c3637f20a8277bd4deeaa3e4b919e57af2141430174a5a33dc

SHA512
34d70c076e47f41ed599898c1877cd3e44fbf330e5a4343ccbd64808bbdbb1b8e1f7d5268d322600c3e9e337b5fe50b52f1b5306030b06fb7f3f9d0e46b609d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcQI.exe

Filesize
196KB

MD5
832055134a2d0c40301b852f75edc7b5

SHA1
c69b91c903efed7f3ec8d00418cf185ba324a99e

SHA256
f5b29a9b7b899cde0e93c76f676d18b89e43d6f0d3d5b694ab533f2f593bfb70

SHA512
a1319ffb6ee8bcf689c9afbaf0140ed13aecc818770777ad12726c4cf6cdb2442fc66c71a6056b48603932d9c240512c6fab590bb6d8fb0180ac095a5e17533e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsce.exe

Filesize
443KB

MD5
6e9d53a97f3f9f73a3b625aab1aeec4e

SHA1
d41aa61fc1666d6ef95fc345b377c32f5dc67a8b

SHA256
a3d18c475826ec67bbc9e084acfe89d9fe71a5af19684e4a87349ca949190f55

SHA512
6b067ade09812c0e5bcf8ba5a4f4fb9d00eabf82a15f33d89a5792158a6c68a5c4770ce4a7d8e60936da245567b3ba2b7eff66ae4626981cc269bcbab23aa5e0

Download Submit
C:\Users\Admin\qUMsgIMc\dwwEYEgc.exe

Filesize
194KB

MD5
01592717766af4f3c98b3b33d888a3ac

SHA1
ba7fc42043c88f207ab59966448f2e34cde7d3da

SHA256
4d3d9614e8a190c8b60d8ba3e232a114335c1f3f84cee5f7b07f305c4def4e0f

SHA512
7c74bc9a4e927d19dd536dfbad8447cdd7e6e007082f1776f340fa49a784643e7298019756923d94b859f8c130314159ba3a07d3ed34a82c6c606acb69c1e2cb

Download Submit
memory/392-78-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/516-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/516-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/548-569-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/764-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/764-499-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/800-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1272-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1272-146-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1420-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1420-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1492-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1520-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1852-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-102-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-211-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2140-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2140-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2148-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-470-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-598-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-606-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-507-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-515-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2820-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2820-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-43-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-443-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2964-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-312-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-186-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3020-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-483-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3208-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3208-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3216-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3544-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3568-469-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3604-732-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3740-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3748-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-113-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-615-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-608-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-543-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-748-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-785-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-947-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4048-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4048-236-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4084-526-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4084-516-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-331-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4344-587-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4428-617-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4428-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4428-640-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-527-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-535-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4548-553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4592-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4592-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4800-561-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-940-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-966-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4836-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4844-579-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-595-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4948-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4948-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4980-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5000-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-849-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download