Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
355s -
max time network
354s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
-
submitted
06/01/2025, 19:42
General
-
Target
YouAreAnIdiot.zip
-
Size
223KB
-
MD5
a7a51358ab9cdf1773b76bc2e25812d9
-
SHA1
9f3befe37f5fbe58bbb9476a811869c5410ee919
-
SHA256
817ae49d7329ea507f0a01bb8009b9698bbd2fbe5055c942536f73f4d1d2b612
-
SHA512
3adc88eec7f646e50be24d2322b146438350aad358b3939d6ec0cd700fa3e3c07f2b75c5cd5e0018721af8e2391b0f32138ab66369869aaaa055d9188b4aa38d
-
SSDEEP
6144:M9iMNCHRNLhitoVak4jaChlNY4SWn0m3/ottG+DM:7IURthAXk4jBhKWl3/otc+DM
Score
10/10
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 64 IoCs
-
NTFS ADS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\YouAreAnIdiot.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO8B314E87\YouAreAnIdiot.exe"C:\Users\Admin\AppData\Local\Temp\7zO8B314E87\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 12323⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1560 -ip 15601⤵
-
C:\Users\Admin\Desktop\YouAreAnIdiot.exe"C:\Users\Admin\Desktop\YouAreAnIdiot.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 14522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1032 -ip 10321⤵
-
C:\Users\Admin\Desktop\YouAreAnIdiot.exe"C:\Users\Admin\Desktop\YouAreAnIdiot.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 14242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5032 -ip 50321⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1828 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0be4e4e8-0409-46a7-9fdf-c106b8d37379} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dad240d-4887-4c7a-8d1f-0fa3edf0dbac} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -childID 1 -isForBrowser -prefsHandle 1792 -prefMapHandle 1468 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76286bed-127a-4a52-9906-40f59347c99f} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3000 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b10cb60-7d09-4642-8cb8-e860e5575402} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4392 -prefMapHandle 4408 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7fd737d-724f-400a-8e47-4940c3ab5644} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c5432a1-ced1-4884-9db1-deb7832707d6} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a44894b8-89a7-4ae7-af51-96308af5a91c} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5912 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6489e64b-8d52-47dd-ae8d-b55f1de90888} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6112 -childID 6 -isForBrowser -prefsHandle 5560 -prefMapHandle 1768 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7892cb70-d6b3-49db-81de-828a30040576} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3396154886 && exit"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3396154886 && exit"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:04:003⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:04:004⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\F62E.tmp"C:\Windows\F62E.tmp" \\.\pipe\{891CA066-1A87-4A2A-9EF9-43ACBFB046CD}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\SYMEwUYw\JmEcQkgA.exe"C:\Users\Admin\SYMEwUYw\JmEcQkgA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\WSIEgYEw\lIEcIMcM.exe"C:\ProgramData\WSIEgYEw\lIEcIMcM.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"10⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"12⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom13⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"14⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom15⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"16⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom17⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"18⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom19⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"20⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"22⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"24⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"26⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom27⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"28⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom29⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"30⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom31⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"32⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom33⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"34⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom35⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"36⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom37⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"38⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV139⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom39⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"40⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom41⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"42⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom43⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"44⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom45⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"46⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom47⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"48⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom49⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"50⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom51⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"52⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom53⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"54⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom55⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"56⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom57⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"58⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom59⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"60⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom61⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"62⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"64⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom65⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"66⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom67⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"68⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom69⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"70⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom71⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"72⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom73⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"74⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom75⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"76⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom77⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"78⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom79⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"80⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom81⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"82⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom83⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"84⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom85⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"86⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom87⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"88⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"90⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom91⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"92⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom93⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"94⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom95⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"96⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"98⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom99⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"100⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"102⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"104⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"106⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"108⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"110⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"112⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"114⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"116⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"118⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\[email protected]C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp1_PolyRansom.zip\Endermanch@PolyRansom"120⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-