infinitylock | hxxp://dq

Analysis

max time kernel
216s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-01-2025 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://dq

Score

10^/10

infinitylock troldesh defense_evasion discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Infinitylock family
infinitylock

Modifies visibility of file extensions in Explorer 2 TTPs 32 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 32 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 5 IoCs

flow	pid	Process
79	4276	msedge.exe
79	4276	msedge.exe
79	4276	msedge.exe
79	4276	msedge.exe
79	4276	msedge.exe

Executes dropped EXE 64 IoCs

pid	Process
4976	PolyRansom.exe
4016	UKUEYMsg.exe
1952	cqcYscgQ.exe
916	PolyRansom.exe
1944	PolyRansom.exe
4692	PolyRansom.exe
2780	PolyRansom.exe
4452	PolyRansom.exe
3968	PolyRansom.exe
1396	PolyRansom.exe
4876	PolyRansom.exe
4192	PolyRansom.exe
3344	PolyRansom.exe
3176	PolyRansom.exe
980	PolyRansom.exe
4908	PolyRansom.exe
4740	PolyRansom.exe
3968	PolyRansom.exe
960	PolyRansom.exe
1708	PolyRansom.exe
5012	PolyRansom.exe
4184	PolyRansom.exe
4812	PolyRansom.exe
2732	PolyRansom.exe
3432	PolyRansom.exe
2836	PolyRansom.exe
4936	PolyRansom.exe
4724	PolyRansom.exe
4756	PolyRansom.exe
5092	PolyRansom.exe
2508	PolyRansom.exe
768	PolyRansom.exe
1564	PolyRansom.exe
3856	PolyRansom.exe
4048	PolyRansom.exe
4704	Krotten.exe
4364	PolyRansom.exe
3404	PolyRansom.exe
5012	PolyRansom.exe
2028	PolyRansom.exe
3292	PolyRansom.exe
5024	PolyRansom.exe
1476	PolyRansom.exe
1596	PolyRansom.exe
1576	PolyRansom.exe
2888	PolyRansom.exe
1088	PolyRansom.exe
1084	PolyRansom.exe
2620	PolyRansom.exe
4184	PolyRansom.exe
960	PolyRansom.exe
4516	PolyRansom.exe
560	PolyRansom.exe
2508	PolyRansom.exe
4012	NoMoreRansom.exe
4080	PolyRansom.exe
1652	PolyRansom.exe
4724	PolyRansom.exe
2808	PolyRansom.exe
4492	PolyRansom.exe
5068	PolyRansom.exe
2892	PolyRansom.exe
3432	PolyRansom.exe
4048	PolyRansom.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqcYscgQ.exe = "C:\\ProgramData\\UGwcAQkA\\cqcYscgQ.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqcYscgQ.exe = "C:\\ProgramData\\UGwcAQkA\\cqcYscgQ.exe"	cqcYscgQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKUEYMsg.exe = "C:\\Users\\Admin\\oUoIwYkk\\UKUEYMsg.exe"	UKUEYMsg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fuYEEYww.exe = "C:\\ProgramData\\LCgcYIMM\\fuYEEYww.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKUEYMsg.exe = "C:\\Users\\Admin\\oUoIwYkk\\UKUEYMsg.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\IAgwEMkc.exe = "C:\\Users\\Admin\\pQYsEQoA\\IAgwEMkc.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fuYEEYww.exe = "C:\\ProgramData\\LCgcYIMM\\fuYEEYww.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\IAgwEMkc.exe = "C:\\Users\\Admin\\pQYsEQoA\\IAgwEMkc.exe"	PolyRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
79	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4012-1036-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-1042-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-1044-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-1041-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-1592-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-4895-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-5826-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-6330-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-6941-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-6964-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-6985-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-7004-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-7025-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4012-7055-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\AppStore_icon.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge_pwa_launcher.exe.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ta.pak.DATA.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\fi.pak.DATA.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Sigma\Cryptomining.DATA.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\SY______.PFM.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Beta.msix.DATA.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\compare_poster.jpg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main-selector.css.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_it.dll.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\v8_context_snapshot.bin.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected-hover.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_fr.dll.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge.dll.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\PSGet.Resource.psd1.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_unshare_18.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Locales\or.pak.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\VisualElements\SmallLogoCanary.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918	InfinityCrypt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 13 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (7).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (6).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (5).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (4).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (8).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (3).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2740	4740	WerFault.exe	350
1856	1944	WerFault.exe	351
804	5012	WerFault.exe	684
4068	4180	WerFault.exe	685

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 6 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1617593690"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31159166"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3716	reg.exe
1124	reg.exe
3716	reg.exe
2892	reg.exe
3848	reg.exe
2920	reg.exe
1168	reg.exe
5024	reg.exe
4632	reg.exe
412	reg.exe
1708	reg.exe
3536	reg.exe
4676	reg.exe
4828	reg.exe
3528	reg.exe
4092	reg.exe
4740	reg.exe
1200	reg.exe
2732	reg.exe
2796	reg.exe
4068	reg.exe
1576	reg.exe
4716	reg.exe
4716	reg.exe
3044	reg.exe
1708	reg.exe
4852	reg.exe
3184	reg.exe
2676	reg.exe
5012	reg.exe
1196	reg.exe
224	reg.exe
4996	reg.exe
4740	reg.exe
1596	reg.exe
2808	reg.exe
2944	reg.exe
396	reg.exe
1768	reg.exe
652	reg.exe
752	reg.exe
1956	reg.exe
3128	reg.exe
1028	reg.exe
2276	reg.exe
4192	reg.exe
2672	reg.exe
3716	reg.exe
1596	reg.exe
4724	reg.exe
2596	reg.exe
3732	reg.exe
3372	reg.exe
348	reg.exe
3848	reg.exe
1652	reg.exe
2672	reg.exe
1564	reg.exe
1808	reg.exe
2152	reg.exe
224	reg.exe
1944	reg.exe
4080	reg.exe
2508	reg.exe

NTFS ADS 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 684721.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 223991.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 812957.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 941192.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 965410.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (4).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 970615.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 610951.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 235979.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 987261.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (7).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (6).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (3).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (5).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 793602.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 536714.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 922419.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 160637.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla (8).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\smb-id9dl67p.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 429151.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	msedge.exe
4276	msedge.exe
4116	msedge.exe
4116	msedge.exe
2016	msedge.exe
2016	msedge.exe
1912	identity_helper.exe
1912	identity_helper.exe
3316	msedge.exe
3316	msedge.exe
3820	msedge.exe
3820	msedge.exe
4832	msedge.exe
4832	msedge.exe
4976	PolyRansom.exe
4976	PolyRansom.exe
4976	PolyRansom.exe
4976	PolyRansom.exe
916	PolyRansom.exe
916	PolyRansom.exe
916	PolyRansom.exe
916	PolyRansom.exe
1944	PolyRansom.exe
1944	PolyRansom.exe
1944	PolyRansom.exe
1944	PolyRansom.exe
4692	PolyRansom.exe
4692	PolyRansom.exe
4692	PolyRansom.exe
4692	PolyRansom.exe
2780	PolyRansom.exe
2780	PolyRansom.exe
2780	PolyRansom.exe
2780	PolyRansom.exe
4452	PolyRansom.exe
4452	PolyRansom.exe
4452	PolyRansom.exe
4452	PolyRansom.exe
3968	PolyRansom.exe
3968	PolyRansom.exe
3968	PolyRansom.exe
3968	PolyRansom.exe
1396	PolyRansom.exe
1396	PolyRansom.exe
1396	PolyRansom.exe
1396	PolyRansom.exe
1808	msedge.exe
1808	msedge.exe
4876	PolyRansom.exe
4876	PolyRansom.exe
4876	PolyRansom.exe
4876	PolyRansom.exe
4192	PolyRansom.exe
4192	PolyRansom.exe
4192	PolyRansom.exe
4192	PolyRansom.exe
3344	PolyRansom.exe
3344	PolyRansom.exe
3344	PolyRansom.exe
3344	PolyRansom.exe
3176	PolyRansom.exe
3176	PolyRansom.exe
3176	PolyRansom.exe
3176	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	cqcYscgQ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4704	Krotten.exe
Token: SeSystemtimePrivilege	4704	Krotten.exe
Token: SeSystemtimePrivilege	4704	Krotten.exe
Token: SeDebugPrivilege	844	InfinityCrypt.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4480	MiniSearchHost.exe
4116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 248	4116	msedge.exe	77
PID 4116 wrote to memory of 248	4116	msedge.exe	77
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 2336	4116	msedge.exe	78
PID 4116 wrote to memory of 4276	4116	msedge.exe	79
PID 4116 wrote to memory of 4276	4116	msedge.exe	79
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80
PID 4116 wrote to memory of 4336	4116	msedge.exe	80

System policy modification 1 TTPs 37 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://dq
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1d1f3cb8,0x7ffe1d1f3cc8,0x7ffe1d1f3cd8
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1224 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1676 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- - C:\Users\Admin\oUoIwYkk\UKUEYMsg.exe
    "C:\Users\Admin\oUoIwYkk\UKUEYMsg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4016
- - C:\ProgramData\UGwcAQkA\cqcYscgQ.exe
    "C:\ProgramData\UGwcAQkA\cqcYscgQ.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1952
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:3536
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:1768
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe "C:\Users\Admin\My Documents\myfile"
      4⤵
      PID:3076
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:2344
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe "C:\Users\Admin\My Documents\myfile"
      4⤵
      PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    PID:768
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        
        PID:544
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        
        PID:1812
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        
        PID:4008
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        
        PID:4240
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        15⤵
        
        PID:3372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        17⤵
        
        PID:4768
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        19⤵
        
        PID:3696
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        21⤵
        
        PID:2312
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        25⤵
        
        PID:3404
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        27⤵
        
        PID:3552
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        28⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        29⤵
        
        PID:2152
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        30⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        31⤵
        
        PID:2536
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        32⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        33⤵
        
        PID:2416
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        34⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        37⤵
        
        PID:416
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        38⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4184
        
        C:\Users\Admin\pQYsEQoA\IAgwEMkc.exe
        
        "C:\Users\Admin\pQYsEQoA\IAgwEMkc.exe"
        41⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 236
        42⤵
        Program crash
        
        PID:2740
        
        C:\ProgramData\LCgcYIMM\fuYEEYww.exe
        
        "C:\ProgramData\LCgcYIMM\fuYEEYww.exe"
        41⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 236
        42⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        41⤵
        
        PID:412
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        42⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        43⤵
        
        PID:2672
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        44⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        46⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        47⤵
        
        PID:2684
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        48⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        49⤵
        
        PID:652
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        50⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        51⤵
        
        PID:2088
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        52⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        54⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        55⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3848
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        56⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        57⤵
        
        PID:4676
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        58⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        60⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        61⤵
        
        PID:1016
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        62⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        63⤵
        
        PID:2836
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        64⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        65⤵
        
        PID:3720
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        66⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        67⤵
        
        PID:1476
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        68⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        69⤵
        
        PID:2620
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        70⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        71⤵
        
        PID:4184
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        72⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        73⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:1016
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        74⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        75⤵
        
        PID:4716
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        76⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        77⤵
        
        PID:2892
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        78⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        79⤵
        
        PID:3820
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        80⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        82⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        83⤵
        
        PID:1040
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        84⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        85⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:4632
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        86⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        88⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        89⤵
        
        PID:1500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:2780
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        90⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        91⤵
        
        PID:4392
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        92⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        93⤵
        
        PID:3748
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        94⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4184
        
        C:\Users\Admin\pQYsEQoA\IAgwEMkc.exe
        
        "C:\Users\Admin\pQYsEQoA\IAgwEMkc.exe"
        95⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 236
        96⤵
        Program crash
        
        PID:804
        
        C:\ProgramData\LCgcYIMM\fuYEEYww.exe
        
        "C:\ProgramData\LCgcYIMM\fuYEEYww.exe"
        95⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 236
        96⤵
        Program crash
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        95⤵
        
        PID:3764
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        96⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        97⤵
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:916
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        98⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        100⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        101⤵
        
        PID:1500
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        102⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        103⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:4636
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        104⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        105⤵
        
        PID:3404
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        106⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        107⤵
        
        PID:5104
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        108⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        109⤵
        
        PID:904
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        110⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        111⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:1808
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        112⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        113⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:2836
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        114⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        115⤵
        
        PID:1564
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        116⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        117⤵
        
        PID:4532
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        118⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        119⤵
        
        PID:1932
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        120⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        121⤵
        
        PID:5092
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        122⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        123⤵
        
        PID:2888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:4392
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        124⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        125⤵
        
        PID:4632
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        127⤵
        
        PID:3164
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        128⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        129⤵
        
        PID:2296
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        130⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        131⤵
        
        PID:4092
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        132⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        133⤵
        
        PID:2668
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        134⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        135⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:3696
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        136⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        137⤵
        
        PID:3716
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        138⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        139⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:3528
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        140⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:4780
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        142⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        143⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:4516
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        144⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        145⤵
        
        PID:3244
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        146⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        147⤵
        
        PID:3372
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        148⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        149⤵
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:2740
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        150⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        151⤵
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:3748
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        152⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        153⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        153⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        153⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkgAkUkQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        153⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        154⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        151⤵
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        151⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiggMkgk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        151⤵
        
        PID:2276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        152⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        149⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        149⤵
        Modifies registry key
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        149⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMEgEwYg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        149⤵
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        150⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        147⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        147⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        147⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUgMQIIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        148⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        145⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        145⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        145⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcMwowgM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        145⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        146⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        143⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        143⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqgcQQkA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        143⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        144⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        141⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        141⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeAwAwQw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        141⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        142⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        139⤵
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        139⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        139⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIocksoE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        139⤵
        
        PID:3556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        140⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        137⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        137⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGIgUQUE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        138⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        135⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        135⤵
        
        PID:980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMsYYcMI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        135⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        133⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        133⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        133⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqQMsIwA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        133⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        Modifies registry key
        
        PID:4828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEUcQYgA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        131⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqIAEUws.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeUssAQo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        127⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        Modifies registry key
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYccwgUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        125⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEIIYwE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiMEkAgs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        121⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiEQsosg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        119⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        Modifies registry key
        
        PID:2508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYYwcUI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        117⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyYwcwMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        115⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmgccYAQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        113⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        Modifies registry key
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAwgkEQU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        111⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQYEkMQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        109⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGYwQYAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiAYwcQM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        105⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMIwEooo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        103⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgQMEYMg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        101⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOIwEksg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        99⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roIgEMcQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        97⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foYIMokg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        95⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        Modifies registry key
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSAkUIkc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        93⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiYQwwkY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        91⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        Modifies registry key
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyQsoMYg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        89⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIwQYUUQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        87⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYgwsQIY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        85⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaMEIkcI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        83⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGwQMgsQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        81⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqwAUYsc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        79⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uogkAQgI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        77⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqUcokAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        75⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        Modifies registry key
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUgwEEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        73⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies registry key
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmIUwMIU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        71⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIwswAwo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        69⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEYUwcIA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        67⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAoUosMs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        65⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAgwIQwA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        63⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owMIAgEQ.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        61⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lygIMgQg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        59⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOcQwMgo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        57⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKoUQgMk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        55⤵
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkgwAIMw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        53⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSoAwgYA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        51⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiMUsEsA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        49⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQEkIAYs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        47⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEsIwcAI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        45⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyQYYccM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        43⤵
        
        PID:2808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgoIscAY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmAUwIII.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICIYUQMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        37⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQokoEEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        35⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWAQoYQc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUgwYoEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        31⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwwkQUIA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKYEEYIE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        27⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        Modifies registry key
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        Modifies registry key
        
        PID:348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeswEAos.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        25⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McMkgUEI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        23⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWEUwIss.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        21⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcMUcYwM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        19⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YggIUYAE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        17⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKIkIIQI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        15⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmYMwsoI.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAYAMwcM.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEIkMEE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKQkIIAA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmUogQcs.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        
        PID:4908
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCMEMoEU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4492
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3144
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1576
- C:\Users\Admin\Downloads\InfinityCrypt.exe
  "C:\Users\Admin\Downloads\InfinityCrypt.exe"
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6692 /prefetch:2
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7304 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1164 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7436 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7856 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6460 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8412 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1576
- C:\Users\Admin\Downloads\AgentTesla (8).exe
  "C:\Users\Admin\Downloads\AgentTesla (8).exe"
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AgentTesla (8).exe (8).exe"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- C:\Users\Admin\Downloads\AgentTesla (8).exe
  "C:\Users\Admin\Downloads\AgentTesla (8).exe"
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AgentTesla (8).exe (8).exe"
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7068 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7384 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,15043096641992892646,5212429245455478791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7372 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4740 -ip 4740
  2⤵
  PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1944 -ip 1944
  2⤵
  PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5012 -ip 5012
  2⤵
  PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4180 -ip 4180
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
16B

MD5
1a112813e012772f72db0081c7c97005

SHA1
2a3baa2167800ee118b0f9d52b8fb79171802120

SHA256
d5a11175f200a5b3c4cd86b0f4e2256b89f4b9d92a3852ed411a885939268756

SHA512
2357f84918d8f7f33d5daaa310332d61a79afd8b3ed19d06d184ed323cc0780959b22ccdf5483ef1c1c6c45860c466787bde5206b4717a7b9c400af433de24ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
720B

MD5
99d1eb9f45a6800a91cbd735d8ed135c

SHA1
199f00611ff20bb63a836ee55c511f56c8969d85

SHA256
dc40166288d5a18e6cb70a4d76066bb3159cd8fc4c9ab80f9416545e411c291d

SHA512
1e3810bedff15f68bfa92d0d238de832134d3d8c30892fc0a25e036d01b3aff835af559e28ff18e0e854311322eab58d16cfb61a59b570ac71e7de3cc045075f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
688B

MD5
d6fc59c9b72f0545ba0def1c2008868a

SHA1
47cff8182754664b547cb38380bcd4b255e4dcff

SHA256
9e2d6726be0158f291500a01a73f6bf5e1cdc63e381b13291dd9398af669f111

SHA512
548f0e40a8e43a85c615de48436c17b69dd23363a020a9bac5d4bfddfe5a5233bf116691e1d6ec36cbfb781c48f1153b5bcd966655c3d255cabcde7feb384cd4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
1KB

MD5
1f6a9cb63fd84c776a84d0d26a7c6471

SHA1
8c521e2cbe7e6c0af1378f3aa961f99ab7155cdf

SHA256
164604ad215fb064cf6bf1e4ec0e1ac8617b0448a82549fbf1ac3dc9cadbd8c6

SHA512
622d9aa0c58cdee467f986a9e49fe4ac6af6045692ab97e62e9dd6b44caa63a28dcd9238d49bc95afa6305c511ae27c5f43b439537e69c3b8ed1adda17c52727

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
448B

MD5
68746a48bfd47b3db880adf7cad4259c

SHA1
ad33ddedbc8daba09bdb0dd858672c19734a7df4

SHA256
e023b8c92d272a0fc7aca180533670b0b9c866c8b9feaed8076236651898deca

SHA512
140ea8eaff45369592a10abfc898c80114c1769971db6b8f54d48ca4e926ae1622ff96c0eb1891e0e421cf3429d5ba8d5755fe5982f6b72d389904e870ec40e1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
624B

MD5
e3da0eb726c62f482852c7774ed2c1c2

SHA1
5986da0bfa119e8ecc983bda94bd1339923759d3

SHA256
67f46fd7d0776af1c8d08256674e79cc30c4f8710d7345aee70478ea0c6d0a37

SHA512
53b26e5c1fe6efccd6f6f161f800a132c0bcb9f2c60b8a89ad6e01516d3716b5f376f670eec99e610097b455fe17c6754cc63b487b0f875f0d9d6a23070d5ee7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
400B

MD5
c9f8c79f14a5492032597abb91abf36e

SHA1
a98b8385a6c7e777a8dc04a6146059d20742dd32

SHA256
cd7c114a607a26613659e359b026620a24b6a0a9ffcc0f0b9e8039bbce7797ce

SHA512
70f30b25dcb6ef6d15d02b2ca9d8ec9b37e4cce954ae4dc4659078e980d4a2a2daabb9a86ec14c9c50295a2c57858e0206c891674e5c2cface5ac8c77c549751

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
560B

MD5
9d1da58e29435d71f3ae764757521e9f

SHA1
fa08da6d4bf5dd85090a5e39901d6558bb46bb1e

SHA256
249d35a13da278141865e29b2375a5ec2248050379454d324dfe0ea77c650206

SHA512
df4a181622ec7333bc3ae97e48899c1cacd43bc637e26d931fc45d596a1b03088bbbc44893b7e28ec5756c55cb9bd7f1e3534f5e747f7cb032c6eb48c05b3577

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
400B

MD5
1f0b8f58f6c0791457a655ce7b1ea939

SHA1
4a68530c7016b2af211cca1d43752d94454cff5f

SHA256
9cceab0e4e1db2f139e5e148f43556776af3b995832f924bc0fcd502167190ba

SHA512
ab11e09a3717a8800426aa07070ab8b2cb1706cb51b3fdb2ef32e51d87c4f620eef3a634e27ea2928a1369c94e024e98f09538171b33c00ea184b7dd87cc7e93

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
560B

MD5
a8ab82ba16fb4544e47f65e921277fe4

SHA1
8abc99a9b8fcd83ab8b1b12edc3fc0af673c346f

SHA256
d3b2c0275529d62e569374a9648a5598fcd68f6c55fbdeae9012f2b5d2d5492b

SHA512
b13109e64f4af49104691505a40fe54e335f9320788637e13182826d6b3752ba6344397d5a3a1b4d6611f02c83bdef4a5d51c4b29bc7458de8aef9696c5070e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
400B

MD5
6dafe0424d016081fb567e101340737f

SHA1
99d6859bfebc0342b07a327601ef6669f03969a9

SHA256
bcbb624e97049917c5ef487b9399a2531504489fb6af256518b96089be122467

SHA512
705168c1c198ad3e8f69837854d1c40ad3bfd8f8a18e4ed6bd77ca7e1a97a128cd2380ec355779b79cb303473f4e9458e7ff743198a6e27bb2f1aef8e4c75f94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
560B

MD5
cfb1c7a9d098cabff0c6a731a9ec2df7

SHA1
9812d6d540e23c41ea1e625bc2f073dc9835f0fe

SHA256
ff2998b94fbd18734e41d33be275af425d025170927ef3e5851c3cbb431f08d5

SHA512
1d43b816d7bdbb51d3a5dcf800fb38ee5cd947328fffb4602ee6910649ee8217e340a543d07638224adf055e27c211423e4fcdd8f1ed7fb67729291b21d8d24e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
7KB

MD5
028443c517ea88452178b56381cf5466

SHA1
b8a219a820cdb5ce10ecf8d7b6d414224262d0af

SHA256
26e098b2aeafde970a38a6d802b5a0e30272005651e7e21e3963cde2f5517946

SHA512
cca795a0c7ddeeaad25324bfbf439b083b5bff7745ff93396451a10b7ade5beb073ca6c70d36649918a22dc7f867b302674ef8b0cc8858daec891277b7c5d53d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
7KB

MD5
e209e68683b789d43ca576fdbe0c1600

SHA1
a16ca63dccf34ac35a7f0ea8becc7bfd217d74c3

SHA256
db18e1c26812a5d349b4f828e5b5206ea20fd28082da69281823f5d48751a384

SHA512
d1e5fc8ebc8974babc45fa09c81513bb5af206c053c784521f9223f96077d2cfdabcaf76946f4a5c60bb63850321c6200372eac614952c44fb4a04ccc1d57567

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
15KB

MD5
464e879fd7e0fcb36fa97e508271059c

SHA1
228d3638d0ecc54253a60e7dec0cd188acb47b01

SHA256
f3f5430bf73c14cd5ac2b9f22aeb8158fdc1c40b4b420d9785c65aeaef2073c6

SHA512
3e61bc14594227b2701856bba0017357259d0cc41c83b7143c06447a46fc48001b69abcc43fa074ffeb0281b0b3b914ee1131618c6b8886529454f5ffc3d4a35

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
8KB

MD5
176a04fcfa90213f3c0f7bcb05dbc891

SHA1
2fa6463b82e5cabac94e616b741d6c87eb449054

SHA256
894cf17d1192ebfb804802263956cf7f12395149d5749721ff50de14edbdfa6b

SHA512
0a05ce69c11fec3aa1515867ab4f894f60803f5053c277396661c457b16dbe76cd72fef68332ff27dce81a821df4801cdf070f807bb307a80378cd327b4cf42f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
17KB

MD5
7a0132ec2ae68da48cbd307bb1c90315

SHA1
3ebee36844f42443667ca040935ad222b9a50c0f

SHA256
dab9c895e8a4b3eaffcf5d84476eb456858b3f562efa38c3ac6703c1c32e1f13

SHA512
7b8a89d2b3ec2ea3dccac1a09bd83932ac56f616d50e2fa55cf9435fbe8673b5b628d01b719ccc2ee84515f129a92c0fad584cd2af97d8ef379c069a1510caee

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
192B

MD5
cac8008b79d005be0a18b712b99e9061

SHA1
aecbeee5ea63415a7d92f633c5b01672e756162c

SHA256
761e251c7314466066416d4e55b3676bd6fd905293dbf875e001b1218ba885a0

SHA512
58f50588d16ac0ab16161470d1dbad5a70e0a1e84fff8504dc43386d4dc17c090ff0813cb9bac85750029759097a129d166b51b56d54619a4a7ae0f5e40d1ead

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
704B

MD5
3452da963cf33bc7bb3986f6a77e3129

SHA1
212f2aca56b668b7829ad44daa3e4ee648e85f47

SHA256
fbfc449992658c1262114572c963ad6ee2ed0b7b8051434eb1c740537f2e75c7

SHA512
cf7a5df2bfc4758ff6685ee85058d88bb3cfdd59d4befadcfdc18a51d7ad6b5a81bca7b55041f8d2fbc8577035f2d7c90388cbf97072c575ebff950ef978f2ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
8KB

MD5
e5dc37f533d0c551ff3db5d74ad32692

SHA1
3142b4d581f8321bd4b19066be3cc6ce4b828a26

SHA256
2aa29af20fe5adb3a4e9854a02efec5c004aefeec37abf739bbf145430b24ec5

SHA512
beddaae6724f1b8e0cd6bcbdd98f7f06b2e7e69f49e53f15721694c053326a20d5a62d4c53ab372ecc323ec059bc4aa2d27b48415edb3ebe8bf8d627cad91f3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
19KB

MD5
775861c144bc9d492c5d79eb2de74a95

SHA1
df24ed20d8feaf3629d7c744d90d546a47503d0c

SHA256
d841b429f15ee7bdc0b9d51988b6f00b5095deac4ad9b0e902662dea572d693a

SHA512
d37d7c803bc9dfa868f3cef449236d67dcf293228bde37cc3213e5a564994a8b6973f4cca3829bffec67f95729d7478c6759429e8984d167d538449248523f94

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
832B

MD5
5dd6442cf236fada3f1ba0a8425a8b41

SHA1
bde8519f7dd2110d6e955baf0e867ff8d7b6d81e

SHA256
36fd4b2946d5333dcc426188ca52615fde19e07c63bc8f66a30f141704d273b3

SHA512
e705014991e54feb4890ee56609c15fd5c942792f893ef471ad632818d08e27688bd8a19e28d622a2e5495db142f38312d4163aca43a2377e42f73473c9d90b7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
1KB

MD5
cf1623bd64d26412cb4287a4c5a9cbbf

SHA1
980230c5b2f626383043411ccf0c652c73ed5fa4

SHA256
53e5313493f3f97fbb20a25c16f2a8bf739e048d82d1b84ab665c6382624a941

SHA512
b4b48f40f8fee91399cf1ad9206bbb82786828cb03e4b7320aa57ba8be385b2545cfea449c12dfdb81af3299f7070b89149b5afa80b8fb0e95acbb07e1cbcfc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
1KB

MD5
2f7887877a0004462ce13456809d15a4

SHA1
cc91514f2c95ee39808f242e357102c67333b19b

SHA256
cdaebf8059982c0eb88f1f99605b24ee0ae73282b80fc898b50f28f24b204d32

SHA512
ed0df4f00b86d17ef1da6b1ab7266ec20c7b9a1ec5fbd49c95bd9276678267409e60b224e520e69ab220e1cd9fc906d225d462ffe551a335668ea1ae068c0c88

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
816B

MD5
743b60443365dd4a08b32f55f6c3d368

SHA1
c89a89fde9b1a321acb08fd7052e7c35cafdff14

SHA256
d5392107698ecda898005072e300dfc45cc159153544ee8a8e677ca4401f1345

SHA512
5bc853dc494591eae65c7d11fee653d1eb831e595b3fec7d38efb3e6d84987b0d78da59ef15d0a66292fe0ca8589640c347b9369bf72ea38aa0df8197f690efd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
2KB

MD5
33b9f35e6430cf4bc57ab3710a7b6066

SHA1
55e45daeb573c48b03c5c76f70b10d4bcc7d9cf3

SHA256
0b0920623552e1a40761dd86659b6b04a3f3710b3d5d0359b199384289a098e3

SHA512
d5f0cffd945cac17d4361d9c86d42fb20f7d89f16a1d3d73049c96d3121980817aafca64a6f48f53f976fa314f54850786f8065b32590deca330e717357f4161

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
2KB

MD5
3fce97c829c5d8cfc2f501a149ab8c44

SHA1
4e9b1d6e57c00685e98eeb37169703505019937c

SHA256
a45fb857eb0aea2c6bde5e74c71807488df3df4fe59990d3b3aac2daa856ea94

SHA512
1d20b054ee9921218045d88448adcbe368401cd1e8625254b3be3a79b80a387f59f19b35bb054addd1f4b55c26c5c7d51ba2ce5f006c1cb33d7080188cac26ef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
4KB

MD5
f28e9bf441e6b581863dd3643b68bfc6

SHA1
e6cd7ee1bbaa57748f1a03209630a5ad3a454d36

SHA256
861bdfa3dc1e99599b52101a7493e5da55eb2eb1362dce670035625c1bdb2d4d

SHA512
592cc7c9fe8a9eafdf7b245a709fac578696faade9807021ded9dded9953d25a1216e158d108882904532742c0069b4c4477624eb9f9506fd677057571ae6e08

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
304B

MD5
3cd9900ae61c66d7e91ffd3e8dab1aaa

SHA1
4d2473fffa8dc53332a4b6ebb742575b4f009149

SHA256
de067165896fcb9af83216765b5e54b35877356ff77ac7d9a69bed461b87fc23

SHA512
2bfb5dcd477d7da542d482ab503c3838cda6c1b1fe0a046e443b580bd5856fd7950f9e4955f0615c0206fb948844b63ec83672b9e0a877ab63068c384bbd7bd8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
400B

MD5
7ee6ba7414f7a3fded9baa89a4a6b70a

SHA1
e945a7df4603e265b498f3aee983cce80a8421d1

SHA256
83f5db704711b62f8cac4c04f5b040ced6da75ca0db3c63df59eb44b3486559a

SHA512
71eb5c0149ce799085a28e88bd2793d41c1051768ae2e58cf8612c3f13d322a79d6b37805fbb72778444fec2ef135d17663ca8d300faec696c9728b59bc8f95e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
1008B

MD5
ddbe7b92d0598b9794fabf24157d1709

SHA1
d1d5b7be7a33471bbe51c28229dec84c933f9e35

SHA256
b05225e27b2d40cc292b208d5674f689c7cefed530809469e1dc6f99e4d93f1b

SHA512
31e971d21b7ca6c231087d4efcf4ad0cf75f72526201791a8022bee3f6845e613fa03b096a2500bd034502d43773bd2579211c45c662d4cfba9532ca5e989c73

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
1KB

MD5
7cc96e57e059497d713b307eddf4579d

SHA1
3d30325652d9f794b86c5305c9493a06a42470af

SHA256
6b4f19456149bc746a7a8f0f04474b14e843ffaa8aa1603c653aa00656be57ac

SHA512
ac04e36a5f43cc49a9600ca72cf1d65b9556ec3b29afe549d4c4a924088a43b4cd845b71f9be352cac479b15376ffddcbfe42dc4c702ddab74d6cbabc3a1427d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
2KB

MD5
dd727f05ce3d47ec797c7233c7a54e6f

SHA1
1dc2a665c69f982a1f1fa9a038a2094fd49dcff6

SHA256
67e81ece63835da0c7e65c8ba133df9190d07de22397753c4680d331ce209442

SHA512
a07ac7da52e9b12df5aa2b03a7b3f9d873e28f41e04004beabb627ccd7d27f64bf4d8fe93e089add4a190e36869f29f3aa6ac44239e5642c3cc209266e4ff61e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
848B

MD5
75e9db6306e5f49ed6914f0441eb751c

SHA1
533036510ae4ada8c1d73f664e4eda32e95bd74a

SHA256
cd44a7079e9886236f2fb30f9d442e9bd6b2ee6ee51535e2cb71d5291ba0e9e8

SHA512
63d81a541e37bf408422259406ba0294292294b3ad1ccec9c03e104e3e50216cd19a4d56926897dfdbf71c9b1826db32576d6c48a5baee0ad7f8834140eda632

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
32KB

MD5
05eda0c935deb0120661680aa4fd3e76

SHA1
c025cec681f69b5a2d21ef9869b9af16e5f38df5

SHA256
25b35f3c95be71ef6d1b8918cf3ed485bfc7cdb7e284c2867f871ca34e0a1ebd

SHA512
78ec20056c4ebb24b2461c4bc54fc81b90eef6b74867ee04c0173dd5e21cefe7c8bafd11ea6c34a884d9c4042ddaa828a13d01538789f04c7f7d0fa3ba92bcc9

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
48B

MD5
186fa8fed15543494eef23360ff515e4

SHA1
09582b596df2ca9b12ffde147184b537b6ea4af3

SHA256
41f8b366183a6ead86e6db720c6a35ed54ef465f11c6f9a9386b36ef0edad9b1

SHA512
c6f554cc419ea7f7ff230ccb60cc35eea708b72b4675c3ddc2ae66438478f90f7b237a305578be1d3154904848e038ca948b3e0866977704701cab3d57563aec

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Internal.msix.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
55KB

MD5
d63fac16fbce15649d1f53d63be70341

SHA1
6bc0ab60ae13216f89c63ef7846f666b3c3890af

SHA256
3f78b8ad79c7ed84849995861ebddf23e7481b295cf13adaad1b490f2f1f14d0

SHA512
abd9b6c2574fd667c2939fb8732fae46e0a851d438e87673086e040d566d1c05116854e85910fed046b70f6b6d4d46d66631fd1dcfeddd55b4a54fb4b1b5457d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe.manifest.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
1KB

MD5
0fb57c979933c0a2f3301ea7aa6b23a3

SHA1
8d10f20f965756accad73a4de84a88d907f75435

SHA256
ec48094908293f4cb33a801916cec805d72ee3dae31a4cffe8b099da193277c5

SHA512
3c2cae5520eb3f8575dbdc8407ed100c1003f2a672078703e73604bdc1ff7974d0b6cf9b36f1fdff63391249ab026e6ad1a8b30cee2abaf0054b8470d05316f8

Download Submit
C:\ProgramData\UGwcAQkA\cqcYscgQ.exe

Filesize
197KB

MD5
c53b9f05753fd9237c6f069233f3e511

SHA1
794b746fa0ae9dd626f71894e7ab87280368bb53

SHA256
b9dd23d4261221b617b574943792f8c62e8ffd9c73ae3c3211f67a73ebd11339

SHA512
96d146f3bc8d4490ac28f208538def43146199d01239b69337093803c7e5b901011f68e5661c2646635f4b3dca501988d74989c078fbf06d10e5264599df1db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8776874c162aafc2d5edc23a08b215f2

SHA1
8384c3c01da8597748a2fd214cd5f01b39e2ce91

SHA256
23c768f9ae59eb4ad6bc3d2e6f75713b3827748900d85eb115015e9fc6bab81a

SHA512
faa91520b8fbff7cf2a8b6038fa37401454a722469e8e50314c05c7f161546b09d4f1dde9852a642bd2d88540645bc4660822d25e8cb7babdae565e50f88e015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1009B

MD5
0151ac5fab7498e1855efdc9d85f6156

SHA1
c768b9b35d4b752e3f1b3144b75cf59c28103e79

SHA256
44efe77898a8e67b0a2444198a88654af677915551ec03a7aa67c9b7a684771f

SHA512
106f323013fd54d3ab7428f84c721a702b207ad0eb65e9d465d2d9984450f8872b7f30621d8873899c9f929d5c2a4516a0c1db23124ada4e3e677f628f5d4419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e0035ad359fa017afee9a8b28b2f76b2

SHA1
1ef34914f982a8c533ed4a16a2e1a9121816568b

SHA256
7d3e509b8870f87b1aa8ed2504af5a03ec433fcae18cf739bb2b42f29f6db24a

SHA512
fbbc786c27ce3477efa4b7d936785a8946d82e0e45e83e6c2a39cd03961a539c4dca9df792e333ade38bd0941cf50f336adb615e8052c7ee9b6d0b98cc00e10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67c8d87503159d1049f783b5a21735f7

SHA1
47d15b4bdbefd48fdd47ee2e3290e58115935c1c

SHA256
b1952d47c5da91cd16f608642b5418e18603447059e32540c4b3759a54638e94

SHA512
0f125e32e80743368d4342df7e44b978872dd9fc6bfd6368ecf9d69b7443b7b866d82c3b75d5ef3260214f75d32c865208e68df9396a1ee629783d217e06b544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
94869342658450170684ed79b7dec07c

SHA1
ce3ae07077bb95b0de0c2c05b4d80e4b98aae175

SHA256
5cea59bd3161969421dc00975e85e2d9c2642b48dadec507672be6d6af3d3f94

SHA512
bc2f6c56d99aa660972e71aca553a8ea492f1c165e4927d7e38bdcc1bbd0af43b08b07943c8f1aabdbfb7fe42a0313fa72746f0bfd5bbbb90e37590bdb4de740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6946d04db606c0d2cf6fb431a1acdaa3

SHA1
0534218c0271571fe65c859c09ab1c6109e9f095

SHA256
e94028b59bc6d7a65583770a016c3caa5f92da963cdbbfe9c94db990395d9b0e

SHA512
889e9b25579514409de9607f51146cdaa0cc768d57bd260529adb78948230f7a300fad08a413aaca0526dbf8c28e663b0ec73d06862b2001e58288b4bdbff619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98ef6c21ecfb5f51745626a091e157b4

SHA1
b78a9f66faf0e4ebb51205cb868a4133f9e8d6fd

SHA256
01d709d573319a947ca0806b1bd393cf42826e834ac208fcab73b23e2832d14b

SHA512
9eadc94eaf28b3ee638198434aed23e722854aa0f0bc9e09639bac3d2ede97071f15e62bfb924bd1dec3588bc9d6740c336c99936a271a44c05db29c0930f2ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a3788678b2b1d60f7e1216fe6f481f3

SHA1
9bbaa9505410b25aaabc7191bf7cd18defd8e3b4

SHA256
b909a97d30830b5a05127cceff3d288b1bf6965388cd07d0a7829855cba101bc

SHA512
91d5cf081b63415859ad2489156d782f5c12d77253576fe3ceb4b2741b45ad788bfa2923ec70af35ededec0ee61987b85e6beb597b0ae124f4e2f4d85d6fc497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ab01b39a0a70be1871d8fdd06ed72d8f

SHA1
c2d27f3156bb9babef33b31c39093640ba6e661d

SHA256
e1dc160e422813e5fa62a47fa511b6cb052c358cd6905a08f46e8f09d0c72184

SHA512
f31d11f4e1b5754de79c78a8c6ac0eaa4588f739cfcee0077485b843ff3f5b2affd1f34e24b1477c3be16851571e5b7ec31a3df786a4cf49d80b9f8d79e7f5a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4283862da7f1951c2d06e09e0bbcbd11

SHA1
a43fad7884f365347df9c69c77dc7b05bc4234df

SHA256
55c9c2e5bd1c9669fddbb895a216f3824750ac6c7c13d9bd1a001feea5564911

SHA512
195672e7e3e409e7f0e3861641dc52436db7dafa5d7df6e2aa5312de412fbc36aee95b0996729e330c9fc08c4306dfa385ad4cf85247c0a4c4748f3641354f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea64ae2e1af07cea5269df973232db0c

SHA1
d4741763c01f172809d85b5da4123c381e9fc859

SHA256
63a231e1dd6b8c81a67b7489253b23311b881b5ebcb0bc4e8ec06b7532cb1ab5

SHA512
79edcf4a759bab8a96f14f1ef454a8fbdf2d1b29faec76dab5ed2424fdec0afec6f90f55b7afbb641722d35704ae1023c4175a0111074dfcd36f09a572456a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a78a15cceed582447cc73dad11d3c8b7

SHA1
25aace0be47b081e73a99979982dade8d51f30f2

SHA256
c8b9998df168a36160280d921d08c317433bd2cf4e50e1d4d7563f1fac04b50e

SHA512
e5e12da8bd2019714449a3fcb626aaa699694046e36c8fe1689df1fb387857dbda4844d8c01c7ce4cb1e21534fdf7c9ad1d5ad69e553abc60631ad324c04a8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f04f2f8f11bc048b509816f7ce77c8cd

SHA1
4f88c936c7c0a78c8f683cff0761f4033bdf4ae9

SHA256
a8689333d781f74582f22d21723aeb64ba0f238ec9b3324ed8349e5f67d436e6

SHA512
a0d02c4357c253bca5bd67e1780c329fda688d652e3c68fb51777d6e6429e441a0bf2daabaf93b8e1592d336b0b485d8bcecad83e12185c7fc875059a60016c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
710717e39b8ae67bb9b7a60e6d8dbb3f

SHA1
96d325b0bda461cd1b897ce6f219457f65ab4abe

SHA256
9057bffa5c3e277c6b36c28a3ac873f133d29ce1fcf165d7e98f7c759f1f643f

SHA512
65730cab34c9a64384496a95ce68b9a6a5ce73fa40963b0581fb61a8bd9a28b44ec2e36cc339479b2ed04bd941c1bd297bdc4035e8b237829e5eef6909e43eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
24d2c82c64c6b1888e2dbc63e001de6c

SHA1
f4c71927e17640076e85408a4db2c8c6ac0626e7

SHA256
392049e74be93171b7f88d9cbd374bc8e46868bda124019c63c81ceea74eb6e1

SHA512
8763575f617993049211d012873061fac498785d63c3d4210a8d1999eef794ea9e19c150754f9bec8c2b199844b7bd024b876590103e1a53aa578f1c797ee5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d987.TMP

Filesize
1KB

MD5
fc7de840f671267c54daa3e8ecc9e69e

SHA1
65652acfc7ff8c54dcf1a1b030498cf26af19e71

SHA256
ab5962d0caf7505c150d870e737d3f6dab754bc50723cef74ad2610d49301eb7

SHA512
fd2c4eb70ab20fec4f6db9329ebb7be98be7e7885f44b134ed2e9f2069741b90604b39c7f60b5fd173bad91219b70b9c6342ca7e21320349219d70cc705fa83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26efa504aa4d4a22e8472a871d9743c0

SHA1
3f55876fb7ea8b105d08ae0c8f4f62a8ee9fd1b0

SHA256
098b999469ca3abd44e86933e656dd91d60ec001f546af4760bd44381f737f9c

SHA512
711814b3c29cf587188230636f357b89d52bceda807fae56d8b1e057033868c02f43daa9ac80801cdd78dd415ac21047e73e1b3e93471c1051a4d421cfb02ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f0041a3814aa5ee9aa242549542cad82

SHA1
0d89b6de09d0695b4dae0a3e50728f166c656bc2

SHA256
831a51475a08b669006eca1a80851164b706bc7a789b556f1a09fb4ec8b68a12

SHA512
60a7741e807397b8633d746a8baa78b774f0d4a953d768f82820e7584e34baad3b681c5f2b7f95811a4c99882f0686a596357d822fed64b1913056658ce17aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d9ce8fb4f8872a3c6cc701a7691213b

SHA1
58d6b506043e33ba0ccb654d30ccdc7755cc8311

SHA256
b0e9b44e5cbd53cf14648393bd96fc8539e814d2e4132d85fe3edddb9e8cc4ad

SHA512
0cdf68352773e479e902b16112889314a81fe04df811e3589be779c8f70345529fab8991939ad1d8c274663ff5a17fdedce8f2789c56e78588a9b4f3b6877af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10ef875e7c8c2488e64c57f5d674801c

SHA1
4e8887e3157efb67dc69895ed359fcca4b6cde97

SHA256
3d2d0ad6e783d607abffec60f8d668f75089d18e9cbf6e714120e931347e31d2

SHA512
39502bf2035471304202e1c54068352f1ea8125bdbae91042575d3e15ea15ceebee987b79c80faf6227087b8c203ebcc5212fb995157f1bf1fe5c2c33bfd2444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63758ed32160966b58358ebfb8d7186d

SHA1
cb9650d8b86aeda479247b187ea43ae409059a22

SHA256
e620f106d1eb9dd066b3a47bfe347f1c7651970f1fab1f23e25bb7fe5c6209b4

SHA512
5ea16a531927a2e4bb33c12a10f4aa50912eb734ba4e45bb300204de2971bd4642a16acf7d2990578a1f12ff81d544a6d3bfb1db3a1b982e1b38bdac724498ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
186KB

MD5
48a7ffb0a3ddb65bad0b513de31a9d38

SHA1
f3f61f03083d644d0657f98e0777682b99e9b346

SHA256
206680ebeddcdfc0844127d504e14e9cb3fcf679066aedada0f3028e1faf81d6

SHA512
46b2e1a349dfff3135218d73506dc7f3d17eb7bf189179df54cafd1fff7938fe8d9e53eace3bbf78b9ac9e05366d37c83edaea98de56fa1487311625d2517370

Download Submit
C:\Users\Admin\AppData\Local\Temp\NCMEMoEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip

Filesize
1.4MB

MD5
473eca3ac6347266138667622d78ea18

SHA1
82c5eec858e837d89094ce0025040c9db254fbc1

SHA256
fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053

SHA512
bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf

Download Submit
C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\6b4eb7fb-5253-4029-b91d-43658408314b.tmp

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\AAgs.exe

Filesize
202KB

MD5
151269dfc45ec1e0fee0ccfede6e8cc4

SHA1
e7e08010d783cb7011a108961c517055894ef69a

SHA256
c8159ab98c7e5f69e8d5b9e96e902603763cb1fb1981d7b1664432f6a45c9b7a

SHA512
5aa65babf4699c3f54757a51647b6c019e02b423cb5014dd3bc3625c40025e7bc8a91895c667152ee39a3d3714d378a46903e9cea08f7977d8470a3199b77f70

Download Submit
C:\Users\Admin\Downloads\AIQa.exe

Filesize
646KB

MD5
c5462ddb2740d8eb0ebd98477210f6cd

SHA1
0a79998e35145a595bce46cc650d5c6e239b24be

SHA256
2b81dc51fdda048234fd72e9525033bc8c435c258f85d3c13ae9d431051ae1c3

SHA512
ffb0063902866d3f20ee1c3f60776ded37c84341fbe157f2937bddfbecc6726b1643b856f008d06992c38f6be6cf1dfd0e26cfe56041fd4f609e23c6d5565a4a

Download Submit
C:\Users\Admin\Downloads\AMYo.exe

Filesize
488KB

MD5
d957dad28665b08d7c8642c05953a981

SHA1
9b05f464b8bec670ffd492805a64388dbb735ff0

SHA256
e5a23ccc53564e3120be48de6fb4440fb587cdf07bbf8cc3b8b6645cf71b9142

SHA512
b90f834c2f6e6efd8df2f48c54e80259c8de9d0bff56fa763e22aff234b93520f2106e1e7f5914866540078063ee3882404f61d63031b0910b39bd9f2686878e

Download Submit
C:\Users\Admin\Downloads\AQAC.exe

Filesize
193KB

MD5
c052932356bf8bf07db4893550d4f930

SHA1
e03034579022ba117d79a8a4c0d6029601afccff

SHA256
a3201b72f2149a03ddc28c4625993de79a2ac2fe8186bd4b8eb70b32a748b42a

SHA512
b1c87203ecb18a4521d89405436154766feb5a2a82f11c65db8cfedfa858eddfac9ca4bdd37808cb589d773b243caadb01443acb894f3630b5f34000850325f1

Download Submit
C:\Users\Admin\Downloads\AUAY.exe

Filesize
194KB

MD5
8eef4d1803efde5a1705d7b23759e85c

SHA1
cccbbed06c2ca0cca235ea2904087e644467bb5f

SHA256
63cd2f14590a1cdbeb93978c1c097be2d7441a71a2486e951935f65ff683a43f

SHA512
12582771131ee1f2e39b0d9208bce10a82394f566849015820c0105fd93840b6ced235773c112b4beb5114d306c8e86643a916d3145d6afe8d77ba85de55051f

Download Submit
C:\Users\Admin\Downloads\AYwE.exe

Filesize
316KB

MD5
4ed9e7bccf051c34637bf79c12fda702

SHA1
36c475bb0cacc40e06f108e72fee9e75657a63b4

SHA256
9b04883cc167009af10bf6f777c3bab8cbe18bb1a6e1aa5683f8485aff342dc1

SHA512
3f7231625ffb94e9eb98cee644a49c210d8e5c66df469db8fe61ae0921b493126e4144bb29e92fcea0efaa5f5218e84baf7ce351d8dd1bfc8d02ee618df6c42d

Download Submit
C:\Users\Admin\Downloads\AgentTesla (5).exe.90B609B3AB78D973E9B2D3AA174DDC52CE2C10322E79EE3E8CAF535067313918

Filesize
2.8MB

MD5
54a23a825a9efb7723c0562857bf2cac

SHA1
8e0a27fc011098269fb7f76cfedae26840d5818b

SHA256
c737143c5395444b4da4e7c5ffe27365338db4826a03dd214e518da64f5d5059

SHA512
1f98f967e6fc6a2073a2968be587860bd54e17a691b8297f9fc5ad7fa43ce006dfad7df594661bcc71a466321d35b8a6beccc8f3e9385a407d1d68989e101804

Download Submit
C:\Users\Admin\Downloads\Asgg.exe

Filesize
1.1MB

MD5
c16d39ce96916c627483bf37a0abd38a

SHA1
3c8a9c2cf7a35490f622d8ed03c027e6ab5e3cce

SHA256
bbe389a914fca5c652eedcfca126ca7bdb808a741a5287e005a8d6a9e022e269

SHA512
d36e7b6607c47289da79b9abafeb0a36720b13bd933f32f1cf553db394e1a8f79bb13fa0a6f3e9fe9ba9fc42acf7ad095dbd3a973146af2bd9986a76a9e2ffbf

Download Submit
C:\Users\Admin\Downloads\Awkm.exe

Filesize
183KB

MD5
3a628a3fbf0e1995e403af55af799d71

SHA1
56655c2012427d4446853986e7afffbea014f1a2

SHA256
fca64962f56438fe4524cd964193dd78f67d184d0fd1b150730bfafdf78de865

SHA512
a24c263bc9a3a78398a07fe64c6e435ec6efc4708f907cb408df3873942295347209db547a1000dfe4807e2155af724741e2a39052252618d7a42d6c0016c06d

Download Submit
C:\Users\Admin\Downloads\Cgwk.exe

Filesize
183KB

MD5
87c98648c5419d3e72c01f2a95f1f288

SHA1
4ccb97b492396075c74498037b2e2447d353ef86

SHA256
c8db5320d342f6462af4a13edb615b4e96df48132fe3868598e13969b9f60d0e

SHA512
33e174bb5470a2b203595a8f48a1ab20d0392c6917632ce8df5b0376748e885a5960740c59910a68a17da069f403e398fa1c93648e5c0c8d3802a2d57d5aecf9

Download Submit
C:\Users\Admin\Downloads\Coow.exe

Filesize
644KB

MD5
8b44a037a83c04a18a63e926a721b969

SHA1
b5ad0cb47c43bbce85717a24c09834d3576a2561

SHA256
ad540ce200c382f83df3962315a7b2a01053cb676c7b4a9c06f0c59d64887ae7

SHA512
56d028767ce608714845e4c589fb27d2825d0336c9b55fbe2626b7dffb82e73c0a91579ee303d9c79a00d8e8d05bd0c23fcfbdbab36f4d559db3bce865e3fd2f

Download Submit
C:\Users\Admin\Downloads\EEwk.exe

Filesize
182KB

MD5
8fbb68b1d8578540f4f4766d2d20620d

SHA1
6603954432d2b22a72188719e62247958310eb83

SHA256
c3e08148ef9a2cb0b3cfbf9629170e820b8f8a5bf0c167d3f30eea3c0a62a043

SHA512
6318da54797e54abf73c7bb10723ff0a99187a160d1c1f251fcf435c31363f7fa54cda4347951258387450599ab9a18f62b650313383d53c2b027bfc1eaa002c

Download Submit
C:\Users\Admin\Downloads\EgUc.exe

Filesize
737KB

MD5
570a154b6775b7cabd8c1000254102fb

SHA1
bf591c8def0898b3aec2a11f434353119a1549b5

SHA256
96d590ebe9f8c5fd74aea7666b0c5d3267f4a4646873ac071f3edaf65234f82d

SHA512
9c742cf0265378e58b159c92c677e22bd63b859293c2980307f25f079804a1745ad04947bfbc896c072fbefbb08cbf072b76cb2b9c225a14a21e64111b894e4a

Download Submit
C:\Users\Admin\Downloads\EggK.exe

Filesize
824KB

MD5
6efe25cf9291ab753dd29b580b10e06c

SHA1
1719a242f37339cab97da30bf84f4657c1175f29

SHA256
22cb364abb221392551bc1c6bb3e737353158f056c9e2e6ec2d2383c80a69bec

SHA512
cdc92799c24553477ce732d82700e85130657b33c0f4ea7c4db3df39ab48db98e83b57f2c478d8e8bf19fbc79c72355576c3aaac192be09f09423e1fc222fd00

Download Submit
C:\Users\Admin\Downloads\EooY.exe

Filesize
195KB

MD5
a36d55410d24dbba1517cf1d82bbe1b2

SHA1
b05368b71bc40fc56f016d0e04aed5fa625c184e

SHA256
973c79f4e5fac5b7bdce1271d25cd38b3939cb4751322c610b10a6e5a294df01

SHA512
34b47e4b6d0027dbc5475659046bf1e5edd741790c4beb69e2f25e6e085ff46755c7dc38bb4ac0064459b23369109fc62e5d7c6a4c316d1fe2460102d6e4b628

Download Submit
C:\Users\Admin\Downloads\EsMg.exe

Filesize
227KB

MD5
3c23245ca14eac6342a401fe2de6a05d

SHA1
8e10affb3e30fb0e6df686d0b1fe7aec4b479a21

SHA256
005c71cd0e30765f110fae5264c146fa9805e3f428e6aa83e5912bc2700897b1

SHA512
72868378705c0167181203ca2fbb9ed02072f37d98725b63b2573b72fc7a958183bb1c267865ee323694345b0a834073721b1db0ade5449ca458c63bd7abb647

Download Submit
C:\Users\Admin\Downloads\GAMK.exe

Filesize
211KB

MD5
61025a061ec1f7130bfee8d91304ef87

SHA1
a4668904c46c864424976894b1eef9b1a15d0624

SHA256
21b6da3bd54a952aa5c5016886d016b344ea4d6fb352f1a1f1da86d6d5f0fef3

SHA512
e63c59be3ef8f333b8c78ef3d42c93af7bfb7a12f02f1534fea5d364f44cf0685c7ceb3b0355af5a55ece0cfc7c92a6ba5aafc1781c64a87c8632499d895e3c4

Download Submit
C:\Users\Admin\Downloads\GAQG.exe

Filesize
1.6MB

MD5
23a90e1b3dc124329526b7443ae03964

SHA1
eb44b15a0055a6db84eae2cf311db7a768ae9a0a

SHA256
6c29c101a0efd807447dbcb8ed853d9f78ca4f325ffb7a2c2f07e3ed61487555

SHA512
843411d6fa3fa5b3350ee603b16cb60d8e087eb61b1b46df7787cba6ba0199fc4157fd9f3e67d70defb96d9a028cb2eccbef91effd5d99e6ca3b139b50d4ecf9

Download Submit
C:\Users\Admin\Downloads\GEAe.exe

Filesize
192KB

MD5
deb0be2ecacc2b1a3ca6d37faa8f33b3

SHA1
6e693083399d1ac5cb03aa121b8e43c65046f4e9

SHA256
35a798e8836d0ab055f2d5c9437e1225ac71e704e5ddae10c97158502755ae04

SHA512
607f0f20452ec12227615c266294b4805fb797d0866a11ab0c6807552c8f7b17bbb8cd8f67d4cc1cb9947646c1b8275f430145cf75abf1587b181a0cf1d53898

Download Submit
C:\Users\Admin\Downloads\GcUO.exe

Filesize
556KB

MD5
f7de816ba368fb9566d5d77ad02bddbd

SHA1
8a2d6db4cc30153c54ef792418da11af4586fa8b

SHA256
f65e09918ec3a1effdca658ecbd165fc8b6f51065f21905f17c7217aedd6f1cb

SHA512
dd7c15d39918a80862e4b529b1d04523f2bf8b1b97aeb47b0d9a91b81f10ca620239fed3e1a4498623dce84dd591e07141743aab989eb527f5b3a211d7efe8e2

Download Submit
C:\Users\Admin\Downloads\GcsO.exe

Filesize
648KB

MD5
36f3f5ca2504de54763c0dd22e447c61

SHA1
62698b5bce5f7c0778c3712f2924cb1f53e0ba62

SHA256
42618b32e8ae182475f985bec0287c39cd78e5cf7cef28c67419d500dabd5849

SHA512
d297f6ede2b7584384fb9d67650a99b7087dfb4e91b2bdc940bd3e3bb98c176d2bdbea7b86a8a8ada2cf369a718b5000f4d76b2b08f047e4c1fa49f8dd518f12

Download Submit
C:\Users\Admin\Downloads\Gocm.ico

Filesize
4KB

MD5
7de70c5f9fde94ce0179324aa5720a58

SHA1
b34c69a980c52938d5b4377376adf15fad17dce6

SHA256
955ad377b15d14e80d8eb194375f26e0e9e339b1cfc1e4047e16ae0e0f90fe24

SHA512
0b5b089bb8ae1a97e4a882f7e35c7295cb81127f0915379676590a2af296012782192381e2bf3d010f0a1c693e2eaaa2f083fd8fdd7c3191a8537b4553676ef1

Download Submit
C:\Users\Admin\Downloads\GswW.exe

Filesize
994KB

MD5
d645ddfd73546956fc2ebb7c2d7fc378

SHA1
08ec3e574e4577f72f0b5953d7c2a56bf2de2307

SHA256
452e4fcded38d4c8c6b11f8e37ff8361ff1b57c13a85ca9e31c8c26be4296019

SHA512
97919f8a7a6d45269ae1563ab351f08074f911323fd4959a79254f9ba4b8acfa8a4c86aaef9ff51e7857c65c3bd73940511be50ba3b9557f569bf527ca473bd8

Download Submit
C:\Users\Admin\Downloads\GwcC.exe

Filesize
1.8MB

MD5
4b4228841479e17fc809f920a36dfceb

SHA1
2247b8ce98ac67db60e4c1396ec939d73085365a

SHA256
6c71fca1d7ab8740adfab20ba6957d88fc8858e0f246ca3dcc2f68df44d99991

SHA512
8a1b6872696efdcc70fde9dffe79a2b67a83d72fe024c22da6b0860a513fee3136cbe4e0c00d9cb8360eea1e2999719397b9e61158365ec6811e54f7fb1b7924

Download Submit
C:\Users\Admin\Downloads\IEoQ.exe

Filesize
214KB

MD5
ff93ecb60b8eaa44ba5b20ccb4facf34

SHA1
c6b5d2c71b7db78b86f844465513008e5efbe080

SHA256
496130bc4c3db9139ebc1c600e050da7978b8a1129f905000cb13b4e25124d29

SHA512
f69cf27346282c51fdadb251e779cce7e8e354f3a7c8fcf47e08e6fedb20578c2bcca7f4014ce62dadfa3aafd62bdef500a9eb5d78ac158f821c56039f85dbea

Download Submit
C:\Users\Admin\Downloads\IMIE.exe

Filesize
211KB

MD5
8a875364d889474840b654467543990b

SHA1
6716f65d47725bd4c023866e0b7d14b558ad9a0a

SHA256
2ac55ca1f64de9b2ba7686bc4e902a9ea8a462887ce31311d443f9f4152331f3

SHA512
c7c0a3299f76fc6fe625d164d9c6167bc2be3eb67994b350f54dc3fff97694c723aef8fb10b9e80e754ee2406e63f6de4dc96e5783c64c198dec7b6390c39746

Download Submit
C:\Users\Admin\Downloads\IYkg.exe

Filesize
319KB

MD5
8af16047b23524e4773c96c3f5ec660e

SHA1
ad5c7cb52217ba0c5951a76171cde0e9107b516f

SHA256
bec018fced847fc8cae92993d0132b6d1e654882c9c66ed6382959e8769e97d2

SHA512
e11b67f4d722c0330ab802fdd7320f23b1efd779d88d87d19189334d3dd6b28405983725831d4b245cc40ec343347c01e04024028b8cbd441c6473cd583b1da1

Download Submit
C:\Users\Admin\Downloads\IggC.exe

Filesize
779KB

MD5
13f4d8fed1e7968981ecfbda44a47bb2

SHA1
80dad3e0962bde85dd6a373362f1c134513099b1

SHA256
6d7d8a01cbc539850376afbb8bc7bbf2f2ffed675b7919271460224125cf19db

SHA512
0381489cd99853152217cd3562272cf1809d49f35cb6e1a867dafcbed7cf52df18d7b9577e5aacaa8578cfeb4ba406c9d38f74535146960202bcb64f322f5e4b

Download Submit
C:\Users\Admin\Downloads\IsAc.exe

Filesize
191KB

MD5
a1661d33391eb26adfd769137876403b

SHA1
f057f55580671c2bdfdca772908bbef62e6bedb5

SHA256
44476637d3c0c2b3b6d1bd03b1703b2163f8fa27217445f3289c9dbd29548b96

SHA512
c829e4c826fcd7ffb05203195a0549cde6696c7805d52829ed0e2e523048c308ed77a2e62bde0c4ac0e8c627c6dec911571ea6ab47d1c2a4c625c42bda032571

Download Submit
C:\Users\Admin\Downloads\Isoc.exe

Filesize
190KB

MD5
d901c8c2c3e565743e7ef6e72e9c8493

SHA1
d84449a517c871015d59214ddbcbdcac3f2a2ade

SHA256
fad566196333c1880f7031935542000036c8013a4a4f13eba224da26b589f68d

SHA512
f921a139d67c89e7d961315ba8e2d4cd9091b8e3aa0a6b37baf30fe6a2e586288e6292a43184462731f5f3a1fefa18cabab4d1366601f0d35a4d438c3c560e51

Download Submit
C:\Users\Admin\Downloads\KIoe.exe

Filesize
318KB

MD5
0a7a6f4df8f4f421d66b7e417478d3c7

SHA1
47acc0fe945f9c43b22f225355d725cf24de2026

SHA256
5aa926daafbcfd192156c9e1264ba506b8dfb6e84bfc4f14fc7369a7cc59bb51

SHA512
2c229a3e93d786dba1a87862f7fe1051fb4f54310e1d8b60284171e54fd364a15d369b3a2c0b426952e5f3eb5292062e844a8000d99ba2f0ac27d5a076474ba5

Download Submit
C:\Users\Admin\Downloads\KMoQ.exe

Filesize
251KB

MD5
26cf2c00efddcc41d5434a8272c38182

SHA1
bde8c59b28ba8b6513ff7e57f01aacffa33658eb

SHA256
8da785d085a870b7e21d3597900e27558c20980be084df0dc76c0091f307a97d

SHA512
a7ba791ee0989c79763c595368bbfd4e21d5ae5b175fe04c10aa06219dcbe837180f195b0487ab03c3989116092badbd2c188e9174d5c93d2cc203d2d61cd47c

Download Submit
C:\Users\Admin\Downloads\KgQS.exe

Filesize
207KB

MD5
ff9b2d64ebb8c524b3f9b14ccc357ff2

SHA1
64363c76ebb0cf6e5b3985fc83622d175c1579f2

SHA256
c651f8882226776759c05a21d8269733440126942f9739ef9d88901fc394a683

SHA512
2cf95b8ea8de94c8f56a6234c80fc44e44c3fd6a0ed1b75480c91a4bc233ea4dbafa2d66f86d9c51297086861f247a2bcb8391572a3d8ab735972d59a12dbe16

Download Submit
C:\Users\Admin\Downloads\MMEY.exe

Filesize
225KB

MD5
fc85f41db6d767331b6f293aaaebe569

SHA1
fc26fde615fbffdc5544ce9b8acff812e048e511

SHA256
4d9615fa4bb6a007d815a8457883fad9dfbe6a7d74af84e010727ea62e331bee

SHA512
7b0c7e7acb6adc60fc3d5cc86d7a9d6ccfa2dbd5fc00b6c26bf564a82b2790cd62f5494c201776d232524be672d56b162f9ad8b4f997dd5d4e5611befd90d604

Download Submit
C:\Users\Admin\Downloads\MQgu.exe

Filesize
809KB

MD5
df5227b55c6d48add8daab0e847b742e

SHA1
0d627e8bd21f6e6092bcafac6f3f1372cd2a574a

SHA256
c56e991487528032a13142620869ec6dd065d87241cf41f0cd9f50a3c27f6268

SHA512
412876900576ec556ca85f7281d0c0aa71ebf95bbf5d634e5632e3c77961d1108a0d6440de12d06ca1ce9e8c11f188ef9b9e4a0d2e7160d380035196d3edfab2

Download Submit
C:\Users\Admin\Downloads\MQoy.exe

Filesize
224KB

MD5
c95d9471473c94fef83e34598790afd6

SHA1
131cc7086ed866032172473efad02bf27a2f68a4

SHA256
99a007e22e194ee981410ecb8ca6778f086430de125ceb73ff67e6119b8e3bd7

SHA512
8dfec4498081b434a555c6b9d17022439b1b0511c413ceae6c31e5dcc67ec2fbc329c7ce59675a19d035d56dd7b1bc602a259e9517d51c752158f3f06b76f64e

Download Submit
C:\Users\Admin\Downloads\Mwgi.exe

Filesize
188KB

MD5
32548de22354ebf1374fb2245ae32acf

SHA1
fdfa38ecd44eab26676567d1bea9c6d532ad565e

SHA256
adf736909259d885844c5bfef843075674e5b6fdc2e07967a7622c6ab085c300

SHA512
3e800d64789f2f2abd3c6a6e0214382ace3e611b9bbdcdca65c094dcc674b20ee25409a55de0e67e1db55daf51acbe2c37e136a77eb87ed06524e2d2c1bc66f5

Download Submit
C:\Users\Admin\Downloads\OEgU.exe

Filesize
205KB

MD5
f2a231404fd888dbee04559a721f5669

SHA1
84731cc72eb0202dfff8041252b4f0276248a9d8

SHA256
546a9c9d7bd1d09a31909279653451f620c86c859214e871c4f6430dab617392

SHA512
6c8367e067466ec41540c5f427dc7f82092bc252fd7877efac4e1faebdb9e451fc3605f7ad229a9af5f052d95bf1b6a31fda33bfca702bcc7e7b163bcb3a6048

Download Submit
C:\Users\Admin\Downloads\OIsk.exe

Filesize
206KB

MD5
dc27093e4d012326187d582486b93d96

SHA1
08638fcbae456c62b6f649ebd74d6502dfa338a8

SHA256
44b4c20127d0f388b54b14b0c7723832adf7e2029ad7c99dca17b50d0218f4f2

SHA512
738de59f6befd0a86a2917f412c7968931f0329a011744e5ac82c8e9a429a1ba8aed602df8482e77b14f20d0c8b63fd8801fec816c87929efdd00aec26a578ed

Download Submit
C:\Users\Admin\Downloads\OkUS.exe

Filesize
210KB

MD5
84b3a72f9117d1a5c397a9bbd0524f46

SHA1
d839f4a415b3b06067f683a2cf2c7c32834ee7a7

SHA256
87c20527412bcc1a0c8866e29b949f7f3d467a37c9dd01abb68adb0cc620f89d

SHA512
76f41f5cffe64a1f549711f08b390e28b9716692a9310956161de4a4510d8a97d015434c01b73f50e24fed7c2c37a86c28097202eb1424494e9c209563098af4

Download Submit
C:\Users\Admin\Downloads\OoQk.exe

Filesize
180KB

MD5
6a62effa0ca564eb7370e3291da46484

SHA1
49a2c2d5ae01ce8f30de924d61735cd745651dc0

SHA256
cc7a637f19fff5d026fcaed0a01b910b735dcfb560f036d663b13badb1f5cb7f

SHA512
c03caade93bef3ae8e0c640049026e5679dde792d467e72a296c8f91e10b65f02d4ca6c8247fb55f8236e2ff77ea470b881afb911c090f3a525d1b8fd4780783

Download Submit
C:\Users\Admin\Downloads\OswQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\QMoQ.exe

Filesize
316KB

MD5
54b21c52c29f986dbfd4e0e3f223a583

SHA1
6227f90a6c21c7d6bc925b58df51398d20a008c8

SHA256
3a1bd05de8b293e83e152b7305745329b58d9705d1887e4deb44fe6731dc8e94

SHA512
bf86d144ad33e21b1db6cd172fd020bfb11d8b8d0fa603a309be5a26dc9a1f05dea9716414d3511418e0b6b487ad2f5e7f4d9900faa3f1a887789841b7cad278

Download Submit
C:\Users\Admin\Downloads\QQIm.exe

Filesize
183KB

MD5
11c440551d63c1642e54471e3f8509c1

SHA1
1b521785300bb6367d474b1dae819f37f1eeac6a

SHA256
7225ff3d982e52433b583269aba030111933b1a336833d81fe5ace00264c349f

SHA512
87ad78189248ae8de2279d044eba5468f8f11a70b560094ae1823f6b56052d12798b442505f4ee73bbeec737a5d7d7c2255f72cd6c8d63b5fb6c8687783e45df

Download Submit
C:\Users\Admin\Downloads\QUEi.exe

Filesize
184KB

MD5
01e5d002ea92cc8ad967cbe5c00723d9

SHA1
de1b375a0f2d893ecd3822072d59102487f476e9

SHA256
515a808e5e55c1b48c60e85dedad2b4818abfa64d125ad338e034e3cdc071415

SHA512
7307df0927b61e46b855f4b40fbf0f9d5b9457b142a697d826bc7cdd3440cc4322f791e3b0b42430c5a71ade229b896dfe4b1fd3faa66fad472bffc3a23a813b

Download Submit
C:\Users\Admin\Downloads\QYQw.exe

Filesize
188KB

MD5
0634d510ee764a2f1685c72296302753

SHA1
a97c5f14ab6421ea03719b1da3b7299982498ded

SHA256
e556f6e1973e3c8432db79f77a2fa843aa0cfe9bd4075c4e2d20e2a0f3cc100d

SHA512
3483484c79624bb1c8818777445333a7e6aa24882eabda5aa98c1f6cbd43232091ca60b73b73384e54a3467a22c83166148303ad6f764131a27ac6da64adab50

Download Submit
C:\Users\Admin\Downloads\QYow.exe

Filesize
194KB

MD5
89798d64b687aecad4ebdf81590c70e1

SHA1
cc62695661501a21f13b117accc8b540b6b132e2

SHA256
8f8a1b4249849ba4c4296a3618b63e80ac8ed403ba9c7838d363648f0993f8b5

SHA512
ce009ef5206786dd8a3352c0e73c191daf0df6cf6230996700d5e19718be4347572ea6847fb0e7de9757f68315e60ee5bad82fb13af9a68d5c41a7f77fb6778b

Download Submit
C:\Users\Admin\Downloads\QoUW.exe

Filesize
200KB

MD5
b6bc7f177d72696e4d02121db2894ee5

SHA1
6bd967dee5d5c5d8d418f7535767099c8ec9a3ee

SHA256
148ae1295a8f80a84b78d2d5952d16bb306ac9365db677211d0688b83356b8b9

SHA512
f515c51a0f925444003297e8c7bce06083c035d56b44af189b19ba165acfbad953766281e7351de11ee70583aa04a90e557ad4e022f9682c67453c59f6b822c0

Download Submit
C:\Users\Admin\Downloads\SMgc.exe

Filesize
204KB

MD5
26d87ceb355b2181c222befbb29dd657

SHA1
7e384cdcdf19a7b000dcb5c0805ca4e4a51e2e55

SHA256
b6b0256abe74ff06c2ebe598371886f626f693f6dc4ed53b0addee88b5fe42a4

SHA512
a002f19396cace995e84b1a1557ff5a0a314314b925d465155a60ca05d5a8444013e7598310036e5358dd17eb4617164fc3ad2c6082f6c335e773c8bd96bc61f

Download Submit
C:\Users\Admin\Downloads\SMkM.exe

Filesize
231KB

MD5
bc3a7e8d51045e5bdf50cfb3eb8bd004

SHA1
cf1d09ab72a8a535dff96a7f992ffd1e5e50a7a5

SHA256
d1df7203211d4bfda3aa071585502dbdf89ebae2be39ce487d56c633b73ff853

SHA512
669694cd2bf0fd7bb4668487c5d3eaf39c0efa162e898b73853fdac5677a2b0ce65ad42ad5b080e5ee4beda1ca08124ee076c219919f83db263a65fafd37189d

Download Submit
C:\Users\Admin\Downloads\SQQC.exe

Filesize
193KB

MD5
59027f43e64b3c3a6d5e2e1dd152b570

SHA1
ddfd85fb287bf8a92e0cab89f69413504262ba53

SHA256
9471464b3c904d22bc73952799b04c060bdc1c6022e0fd333d79206949d5b0bf

SHA512
672dfd6feb03e70b534c5c126be2014a243e8aac6b563e30468701cf779d66d636c2702534710c1cc475d5a642d8a98c883045b03a7851efacd1c60773686fd2

Download Submit
C:\Users\Admin\Downloads\SQUA.exe

Filesize
451KB

MD5
9d1f19131d9dfc02fae7e944b060584d

SHA1
0d14fb36cc88fe9dfe494abf898c32107e44145d

SHA256
e638e049b16b085d2e52928a148429a3007fe15d1a89d9ef49d4222c2f5068ea

SHA512
6c2a08c06a85985be18e5c8c86fa8a7b2e0bf30d8409f242dc6c3dcdecdc39c0ca92bd6faca1ada48b06edf4d3c629aa9cf3673540faf28c293916eb54b64f88

Download Submit
C:\Users\Admin\Downloads\Skok.exe

Filesize
189KB

MD5
711e340db2f24d8f37c724b41ce66f80

SHA1
88f970d8d5be2bf6b0391ec58c44045b240c6ccc

SHA256
c20b50a8e2ad8bf7a80de7ffcb77d677c4d2733e0f80639e86a3e3c5c289c2c2

SHA512
3f4e0056561ed86d81fc64aed475469db6daec24d54e4d957aedda24f924fd9072c488605b24566c8f977779e166ed52bcdf0586d7acdae7c52572b8008cbdd8

Download Submit
C:\Users\Admin\Downloads\Sksy.exe

Filesize
200KB

MD5
21f50c6b47b2e5d044955db39400d9e8

SHA1
d54906a50a5e904b56a2ee2ef82a71a70d1c5a45

SHA256
76b1e7abb51270980f7abe6d369735e601ad50563bb2f55d9c5db300abda6a32

SHA512
3e102763bcb3f31ef382f210ba1815e93d4fd1321ad8f83e5ff2d5e01d44b68b0703894f77de2f537f411a08cfcec21167df942ce5a158c5b669c7bc190a76fd

Download Submit
C:\Users\Admin\Downloads\SoEo.exe

Filesize
1.0MB

MD5
12c463ed29515c1d8f85014c04b25c16

SHA1
182a80de8305a81fb1637b1e5578659d8a921a39

SHA256
051a289702ca4b822e19e46ed20ab1ae0758d5190b6bc395837459a6d1bb248d

SHA512
f6fe261e7c8f5465f5c4d083b88fbeb03cff013268fec2327ccd43ddb33aa779d377980d592da6b5f54baee7733dfe2de2e2cd77352591ced3dd311127c0110f

Download Submit
C:\Users\Admin\Downloads\UIUa.exe

Filesize
209KB

MD5
4d212864fdc0344467f3b5d6a60e26ef

SHA1
b14d658bb48c4896ab8db40a3ef88ca6d4eeac45

SHA256
c86baaedb1fef2a8bef409a67f865158b4240a27c83e6a748322dad124d2e91d

SHA512
da73889ae7170ddf11b469842a50399234ae189d9fa155bb4671ad0fd8303de67ee2178aa236051cbdfa359060d8f0b92a15d52e7a1b3a16a92e5db6cd87684a

Download Submit
C:\Users\Admin\Downloads\UQwi.exe

Filesize
218KB

MD5
f3e33d68a4b9548b10b1099ce98b2134

SHA1
44c24fcd6e4169fbcbdf8759bfba2dd5b846f864

SHA256
1b346923fefb8cbbbce7d399a1fec9546810a4ff40bf93582e4b2b9ca73e2497

SHA512
1c0e74465a67a4b3068cba7f75bf23197bddcf807769b54a001f88f0e9b2880cfab8b47f136e137490a1d827716f813e71c273363ac7258a67412f345f6460b1

Download Submit
C:\Users\Admin\Downloads\UgMY.exe

Filesize
214KB

MD5
a9dc543f281145a733553d3fee5ce375

SHA1
e8a297ec8c666e216937637ccd718bc822ffb40f

SHA256
895a59b9dda729d7300a62106aebbbab863cc1d9fe0c0c547d56d8e1fc0617ad

SHA512
820404dcdad6fadca8d5d93ba57a1b65e9e7377e3687668dbe92340f1cd7ca38f64888ec7126d9d91008462254f6a870f9d165340f6a506985c8ab663550db80

Download Submit
C:\Users\Admin\Downloads\UkIk.exe

Filesize
1.5MB

MD5
b83d0fbd8548ba6fa4eb359e384995bd

SHA1
56e729d888864772d1205c51517637d9f3c48d63

SHA256
a85450fd0be2fb9218926ee1c44fba128fbe46b7092c8d2996d51203193229ef

SHA512
44f91ae337a396935a93f36daafa12c3ad38041f77fc9e8f2bc09c69daa1383758cc3e4c0f86e5d800a4045ba616f5db613fb0fc9f3328ae82365039ed7b2b5b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 223991.crdownload

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 536714.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 793602.crdownload

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 812957.crdownload

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 812957.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 970615.crdownload

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\UsgC.exe

Filesize
190KB

MD5
9ff1e0dd4b7f46b8c53acb4a2c7dc680

SHA1
e5c199c88b63acf9a80f49c546f9801b38bf1328

SHA256
3dc6b57f501b2e865a27e33346320ab946ca105d0059b23946079c3eed179c86

SHA512
22f7cce29dba5df0e2f6e3279eae3edb25e938cfbe9fb1554387f04064266a1e408cdcbc73df87297c99ec34e5129b8962f48b1fb1e6a408a62613837f8fd393

Download Submit
C:\Users\Admin\Downloads\UwkI.exe

Filesize
211KB

MD5
c46b1c1d35af4f32a9cb156ad91e76ab

SHA1
9fe66d160a8c793c1e8d74e2a6dd5ad84651ec58

SHA256
e83c4a3cd80b72a72ea2e2ad9b3023e4948922227185212beed6eefafaab122a

SHA512
c078cd9b995123800730504bc7cacd33557d0db90d1ff3351038ea37bdc38b66225bc00494534c264ae4e1c3ae0b3ed6be42dd1b796639a02c2e9df7bd0d9d94

Download Submit
C:\Users\Admin\Downloads\WMgU.exe

Filesize
186KB

MD5
157e5ef0c6320054a085ff8ed87b7ffa

SHA1
cc3010257e2752fb111785acba3a14d8423204f6

SHA256
72b859e15dcb8eccdcae86c55a2b887d4609e4eaead1e51e2d57cff912c49195

SHA512
35e7d22d19b4f7d7283ffe2614abb2309523e3d525dad2afe2f686c40739d15a8e4890a852bb4ea0de848b7b69639f5db64397f02af10bfc9a1e58b54b8a4b6f

Download Submit
C:\Users\Admin\Downloads\WkcU.exe

Filesize
202KB

MD5
bd0c3481a0f6c3a134aa5a815b2c35af

SHA1
7038f7da05e925ba8b9f5380e386f182bce1880b

SHA256
583d5463abae309008e5d0d67f02cd3bbac1110ff20c9894b24d4e1fe6563916

SHA512
de9a01be0a117e974598277110d35eda5d76e04c0ccb73da1e2345d9899eedeb598dcbf97fc95d670d16812742267bc4e84ee182a06bf50a691c4f433144f571

Download Submit
C:\Users\Admin\Downloads\YIoq.exe

Filesize
803KB

MD5
b61c77f4385878e681af459d119819ff

SHA1
698f598b77a5b3893ffa7bf810b1458763ed9912

SHA256
a35099dcdb8f22c1ee33b5d383842b3004e36c7fb573d020d24c1d051b386061

SHA512
8e96fd39a837b3e0df12a1aa6c898dfb0491166cc4560e02a687618e24994c13bdccc015101650a308b8a4853f61700feffa6b3fddf11f3deace12cb996102c3

Download Submit
C:\Users\Admin\Downloads\YUAw.exe

Filesize
221KB

MD5
1d91ab34c530a8372593e83f8df353cf

SHA1
f3bbfefc70359d6ed268edfeb58bf3e058d8bef0

SHA256
5101cb60bb72ab424373849ffeb7ab58a35007d9e566aa445d9105aae3a1acad

SHA512
e6d8dae25260424d69eb97ae64a13157249185c9c28515e267da359f2b7d3662dfd76b4f1e8ad00062c502dca5dc6a9e4acf4bb6ee857fa5ce972290ce869db9

Download Submit
C:\Users\Admin\Downloads\YwkM.exe

Filesize
644KB

MD5
7916392539539490992099d97e1ceda4

SHA1
f921d29383548cb5a13bf27064a4a10a1cad8802

SHA256
940db7fe43b41ef985a543b07d69506a605a6872e000ea01fbec272b0d976431

SHA512
b51f23eea4393d52f7525d8e148c3a04352ee231d12b57d2c40e4e33df5594fddf7128fd8f5ea6d0de8ce84e18c1b137e1b249f0ecfe2190c7545663b1c64ac2

Download Submit
C:\Users\Admin\Downloads\aMkY.exe

Filesize
196KB

MD5
8b471a77992e4c1bb9e0456de89034f7

SHA1
8f5fa9b5be90fd7f8dccc85ae135c15cde797ebd

SHA256
567f18fa4ae999c5ad3f20a9c4a58e2484248806452a0726a1ed03e0f724ee1a

SHA512
61f80b3e84e21111a5b856fcc22743b1c3a3a1ca8bfc51259bd8858274e7ac6fd279f743d99c6e6855bf31627f898a2e7eebfab2f3537641de0ec4dda02f77c4

Download Submit
C:\Users\Admin\Downloads\aUki.exe

Filesize
183KB

MD5
90b8be572aef86c45b0a662988a85364

SHA1
e13a6374313d714b8e00701a955f1cb7edb5dd76

SHA256
b740cdec8fee41ac063c23e6517abc70c681809b395070844ae5e44489678d8a

SHA512
13ef066aeb97da6af707dd355b84c4b2f113819b151a4bf8926e62f0d3d85eeb198ba58535f845ce2c3eb0c9647df57df66345ce73541e4824b5a6f61ffb06e7

Download Submit
C:\Users\Admin\Downloads\aUwO.exe

Filesize
185KB

MD5
7a0b5c562da6fecf99dc34549d52d0f5

SHA1
ba61643e69a01b4ee8786970efbfdc5d8e0a8dcc

SHA256
8f98bb0a545a696970a973d1ccaa55b567ac8fb0512de43afac52c96e24ffaef

SHA512
ce4fd647ce947ed9ecf1fd6f390868b25b14b2258a5a9d9f6db7b44c497394ea6bfd34be09eb25c5eea14ccb551056fee22823d11cbc7209b1bda767de14f2e2

Download Submit
C:\Users\Admin\Downloads\cEIW.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\cUYi.exe

Filesize
789KB

MD5
678f9c81c858e7d34dc962034960cafb

SHA1
cbf3733ab7b7faf250310ce266e998a5c2a80a8d

SHA256
125481f247810f60e1d034b5eecea595443132c6ace1899afee88e0731ce9296

SHA512
d35ab335ed213965684f0761e060a62613a93148ace2488502edf6aada23d77cf1145257f083cfe2c4093ba21dda9ee970afb0dc9de6aaaa0db86afeb832e3c7

Download Submit
C:\Users\Admin\Downloads\cYwu.exe

Filesize
205KB

MD5
25cb91247cb1105ae9c21fffa028eb1f

SHA1
767151c60b675da2b6938f6d0305adae20806b4e

SHA256
a48d61645a15affe4454d157a1f49c3e09fb8629600e230164a9e32040735304

SHA512
26f069ba901065e37eb9a8934e0389a925d172c12e7dc8de756ad6db981cc6912cf9ab577a64fb09a4175e4a4905312b056bc08941831d7672a08f427d6f2e4a

Download Submit
C:\Users\Admin\Downloads\ckIc.exe

Filesize
432KB

MD5
e80333152b690234a2d42ba3fd31d3fa

SHA1
fee004aaa3c2ecce8d5a0722c3fc26e24efd807e

SHA256
70ee657605de4c1482cc6e295fa959cf61abfb40e05f66c10e368f32e4430463

SHA512
3b9981be3dc8a6e633ec97defcafdd2c6754b53700e750a90ecd0bf733b7fd5544e8c43b221fd44943dbd3eac0f89d15d55f7d51791d9f997cebb9370c938754

Download Submit
C:\Users\Admin\Downloads\egQq.exe

Filesize
203KB

MD5
d175828c3f31ebe5918ed425b37e1425

SHA1
486c07bc88962aa19bb386370993159a0af171f1

SHA256
06840219b4bf4d4b9ca47aa277ad6f310691e482a60b1f00cd626045ada20620

SHA512
0084ef3ed953afca39cace1a7b2aa6e0ca49b2e74c079659785cefc719c9f8563285cfd058a5e324f77382df02aa62ab8dfc303140c5d7bd66fa040449805641

Download Submit
C:\Users\Admin\Downloads\eksS.exe

Filesize
397KB

MD5
177a2a855654634f8533753c1dbc3fa9

SHA1
5084fe921237285dc75f93428207d847920c5fd7

SHA256
5b105b970d2ec1e6400f638fbb3f5610fa4299abbe6d7a29fbde8dc67e7956b8

SHA512
04e6478383a074b338da51f45b0e143ca862fafa96983c431c37b69c5d73bf5a761d05c0251c8f59af8d03f17ebb14fe3f94199654292f3390f55da03a4efffb

Download Submit
C:\Users\Admin\Downloads\gEIq.exe

Filesize
886KB

MD5
1b7e01f533c55237398d4ecac7f04af4

SHA1
fb77488d98fb774c4aa48993ac97551d1313f1b2

SHA256
37558f62efe91faf3e953f034d7959064d35b560c8bc6a772f1bb895249d3d8b

SHA512
a8e66113344286cff8fab154cdef04cd92decf6d778f5083f9a597783add7a0797b0ac61a6b774c29a8ba94b1e20a2a9ded27486da60d853fef10bd739f9380c

Download Submit
C:\Users\Admin\Downloads\ggcq.exe

Filesize
188KB

MD5
934f4d7bbca45d20c1b3b1ae20b41d6a

SHA1
e31c56582a17762330090c2b4739b3bcfabf34b2

SHA256
0c87d90acaab814a56b3a6137c74a5ec51bce94d2e4072ccf082c8428bdf6ab2

SHA512
2b0cf5cfb0ddd2c72314230c2d3f922d95ea3ecd06ccc2a4d37f4b0001e976430a1a8a72bd547fbf33a7fcdb7e2a95b9a258d10107fb3c3a77c951086bd8f1ee

Download Submit
C:\Users\Admin\Downloads\gsks.exe

Filesize
197KB

MD5
5238a8d4f8b6b8378c88f40a2af38c78

SHA1
2886128d5909b5b6a00a31b1bb6461fcc1344417

SHA256
f2ebb51d129401982417c2bfa2039f5b8e8de0d3d841a1ec3ad36daf67606b57

SHA512
87dc23078aea44fc07e979f26d7afbfb85baca19e4864e54449bbbddf7130f11c82aa4c1c71de1b07c898c94fa4d74b2807e313f8b4c4d53c48b98bb8379545c

Download Submit
C:\Users\Admin\Downloads\gwAa.exe

Filesize
544KB

MD5
c61e8f998644951d0ac643fcd6012538

SHA1
1be6036de0c8cdebd6076e5237e6d2995a692a5c

SHA256
d92fb80f4bd69d8ac3c8910e98f698f4bf4b09a7532c49869b15e74420e5767f

SHA512
8745fda99f20649e6f221b1213ef8de3e90b37392ad863173143a90249fcbdd7f195c808c28be037d26dff7520068c1475578f8618be9d33c2b73ab101458c48

Download Submit
C:\Users\Admin\Downloads\ioIy.exe

Filesize
209KB

MD5
42e85caaa2221630dac5599a64cc6794

SHA1
5be9004493949e2ddca86daf7c3a04171a2261b7

SHA256
76368fbbecb7c3961e8dcd31799c471ccf1dfb512d96507e807ddd98a30ee259

SHA512
bc3485141c29736f423f0040d0eea3dd702432b060e25a04c13f8b29a7e04f5d6559ac374e659cac29535d219ea8f805a46cc2fb5d10e4d925364fb10222deef

Download Submit
C:\Users\Admin\Downloads\kEkW.exe

Filesize
203KB

MD5
6be13f979dda5e5d97a167ee764d37c2

SHA1
849fc733c68d1d195f7db2573e544fedfff0cfcc

SHA256
e5a844349b32de5c205e9485fdbf43f6a72d155aade8747b9a2574ef7b17fe63

SHA512
66d4a64d22601d20a3f7ac1d1b6ae9ea433b84e502690069f22f00986419f1ae46633fd258084d4af7eb10859c5cc041ff41bebd113e22d75bccc6809cd35823

Download Submit
C:\Users\Admin\Downloads\kIwu.exe

Filesize
426KB

MD5
bff536001c0a4d56a46cd8841f0db824

SHA1
aec656ddba5b3484638584a3a85066fbd1ecca37

SHA256
2f5957b17dc3db4a57c2340031613c4208308f3915aa8a3d649c073b18e03ffc

SHA512
6327569f65837216886edc7cd2f2d52f43904f10b1162073f26bb223ff218ed5c6a3a78716e0448f94e9e560f613d2b5ce0d34ef5dca821421d9b3ac1b413e72

Download Submit
C:\Users\Admin\Downloads\kMwE.exe

Filesize
554KB

MD5
1c63ad009283a8d712f22c3aeb621bea

SHA1
e78843c62b154111b8e75f50219201720b03bd85

SHA256
cedc553c11a55da16bbd3091c196ccb7a8ac158d8efc97eaee95397d4ff50eb8

SHA512
097886e780a2fdc79e5d115713c6c238b575755e3d64e77d0b97f84cfa72a9228d4c53fbc5bc89a76e5091f2586f30f35c63e658010c1c000edd4a71e68da4c4

Download Submit
C:\Users\Admin\Downloads\kYYg.exe

Filesize
231KB

MD5
3717d80fd4805c034a7a5e1a91cf849c

SHA1
b80faf2c48b9bc8e7014fb0233e32035931cc726

SHA256
0bdcf3e5d3a45bb00816f7bbc37b5e2c47e6b037e2c9f55d2684bf6c40c1c167

SHA512
8472bec758f58018acee475058aa9eb3cedbda873ad96c6edcd9aa407a41c36caa26e1a093a24c427804fc6ac43d30fce0cd3af9a2e42eada6cb5422638451ad

Download Submit
C:\Users\Admin\Downloads\kYkc.exe

Filesize
658KB

MD5
e63067a5cb223f850336c774e6d83fc8

SHA1
ad059e9de53ee59a84a9ea3cf4640cfb3b5f049b

SHA256
31b2e0e9c54d27fbd53f632ea61d89864bc2f8aaf086b3243706b11f2965c0b8

SHA512
29cb4f348c3ab8e23ce21897d76f506f343f75a73c39fdb6a10d715b807c1ba630d3118865a84308fbdc37ad469306ec24982bc5c197a82b08e08dda51789e0d

Download Submit
C:\Users\Admin\Downloads\kosy.exe

Filesize
809KB

MD5
4d682e4c3c27ac6abfee6a5890474254

SHA1
1b5d645b375dd3d28793858f0fced227a4727fac

SHA256
cbc5b2f80385e1c41c51b28d0a991f4bc3e98dafd16f0e853555369714b86a80

SHA512
2ebcede118f8c3db3369f1b33587594824a4c2dbbdf673b036e58d1eb78eb20eb92ddb96c075ca39e8988d3c6e6367f1b0c6a40add735415136261f5c185b5a3

Download Submit
C:\Users\Admin\Downloads\mYEo.exe

Filesize
194KB

MD5
872223b300480bced88047b1460770c1

SHA1
ff36913f785258459a1516750eeec12c1dfc8929

SHA256
f1e3d9b0ae17a78d63a71a203324c75485e648124eefdac1558a05de25cd2c89

SHA512
2546d5649f480639760720b8b928edbd658592436ea814851d4871f8f96f4cd2d032e89e75254b91765ef6a17034e05c5a7fc235299a5afb0d4ebf866fadff83

Download Submit
C:\Users\Admin\Downloads\msoC.exe

Filesize
193KB

MD5
7ffd6fdc81cb2154c20456361ca4b805

SHA1
8b76408b2d0651fe934217c3d7db4ae4b11ef9c9

SHA256
58e5a9ce515adda124d9f45278e66a5c988c9fb7d1741b712b22e183f4ad25ba

SHA512
2197d2ee7b8651ff26100b051bb7528aed4736898423839048b630dde2cfa9b3e37b62ae30c78f3121eb86f9289bf3e7e973c7b853eafa60794b251e8b79aeb5

Download Submit
C:\Users\Admin\Downloads\mwMq.exe

Filesize
203KB

MD5
2fa74267e027ea4abc83ce0ddfce2a0f

SHA1
49bfd8a024512ce54ccac7e1d4eb1231ac2de2f4

SHA256
e09901aa0bffb4478a60728c8226b8dd37a4e85b71a7552f181b45dab6eff04b

SHA512
4526ff2548063205ec21cc7e7ed69491f74d242d9081de74f38754fb717d727c1c114fe715a8df63131f6dfeb85dc550fd476ff2a08f8cb0c54d61fb9531aef0

Download Submit
C:\Users\Admin\Downloads\ogwm.exe

Filesize
395KB

MD5
34ba776c8743c44b458b3133e1f0eaa8

SHA1
224037fd4c55a487361cc6085da0837d288e69e4

SHA256
9390d2daf6fcfba9544d24d47b2b23b5842077b9dc06e141930dfeb372cfd246

SHA512
b4232fe8257c3630e4589e9c09f9763a5c2c28be0272f192d7db9574bbc0166325d4e6623a8c6a44b5b9d586f4fabee8a2a649a686c10e99592710f94033fe25

Download Submit
C:\Users\Admin\Downloads\okMW.exe

Filesize
181KB

MD5
915185a5ded41641dd1366b79955da9f

SHA1
1d4166a5b3d37d68e16cd77514050999b0d31b88

SHA256
d728fefdcaab55c43b800c217fd70daabf84f7679f241cd7b04fefc4eff7b163

SHA512
40910039aa3746497733994dab0c0180d7b7061e140e9d2202c43594cdab428bb7e033d0088f26c198e76a95bd998498265edf511b782ab75aa75784ac33569b

Download Submit
C:\Users\Admin\Downloads\okcu.exe

Filesize
245KB

MD5
fb495dcfbefdfdffc621ddd2bcf0dfde

SHA1
d6fe5c03195d8c4e79c8171d247c0670840e45be

SHA256
a21a22bbdd96b26eba3b62652e464d010dec28eb4a621bd2e2b421626b86353a

SHA512
62ab7c1d2e2f8ca6cc25b67e79d96af9a0d7c0a1befb951920f163b12627533cc8aac498a4cdb4a52923b76f22c6f53ff8ab519cfc4c151bdcf2d05f9803cc2e

Download Submit
C:\Users\Admin\Downloads\qIcc.exe

Filesize
540KB

MD5
729f446c92de1ed8ac5472478986da01

SHA1
bb751e85a6120c5b4ec6c773857190c7cd4cd6f3

SHA256
f24a5b358f3c408a1e999c9e8713beab9023b28714630da61278c85852348038

SHA512
f11dec65fee5054615e0e98a5c645f7f7f9abbe1fd30f3a51fb1d8a7f5fa35f1b01dee87b3fc46fafe701d4df8abec1826109b74dd1cbae4c58773fe601b03b9

Download Submit
C:\Users\Admin\Downloads\qIwO.exe

Filesize
185KB

MD5
a9afd627c769f59b11fd51b753888b37

SHA1
cdbd6e3655e5de2c8578a2ec8aead04a2e850c94

SHA256
c044784af3b921c4a7bbbf405966e181840bbb9fb6726d9c08c9ce95021d7c75

SHA512
6f898b8050439c7a57ca6046c9bf50d960cb8ba408af4f576f3523c21b0991f15a38661972c9b7f87592550f0e7d3eb63b655230cc8407ed497a8e77cb8c2783

Download Submit
C:\Users\Admin\Downloads\qYgS.exe

Filesize
197KB

MD5
412e66dfc067cb241d65e4eb4896acad

SHA1
6b127a551c7e0e7fa72d13c31f675530668f5892

SHA256
1b9a8b11c5862483a32ce960c71445042346369151d77d6d6252eab5dada168d

SHA512
533db1f44c43e27837d02ce851e0ce83dc59551cfd73b9cf3de54aa095d694017c0f2e8f4cb8d56d61081c1149a86931490f76748ac25880dcae5fd17c269679

Download Submit
C:\Users\Admin\Downloads\qkUA.exe

Filesize
195KB

MD5
32ce52658f663bf51f651eec276ff956

SHA1
29bf7ec19fea3b38b382909893b4bc85e73b839f

SHA256
0a7748a8b1cc45d145bcf140fb06b5d02cf80840e8ea83c2785898221864e8d5

SHA512
2da3f1b99ce8b22b05fd6a657efebd41df3ccc4ceb1ee7e3ae4043a3627304011fdd64c323e3e0409ae88cbc7901ee5e35872e098ce42cb8fa4a11bb1c559898

Download Submit
C:\Users\Admin\Downloads\sAsK.exe

Filesize
202KB

MD5
cb8dac5b52d1044d9850ea57195f9439

SHA1
8b20a22585a506d0d2728822a9a12f6ee6e8b05c

SHA256
54e96f5a7eba94407d5cc97437c200de6567b1ca16f744c56eb72862e5023bf0

SHA512
27ea7636f380513e2d9c4482b2a910141a0beab29441bd5478f265c23e2eabbc0e62d359bd8f8535b8393a7fc36e314c3688ec4c8d83675e3e4d2a8fb048052f

Download Submit
C:\Users\Admin\Downloads\sIEY.exe

Filesize
3.0MB

MD5
64ade2ef531e3dfde68a1f5413556120

SHA1
15426c2527437c5d407c0bd8458c9d2faa12a591

SHA256
621f235218bb4bffc932de9bb4f867191e302a9cba665111ab347c35d192d53a

SHA512
7725fe652f60b825e424170f294f00415e62bdad188b47cbcc5eb0e3376a777c5ff2112a3215b789ce38beeb43c7a207dbce6e65e588788ea75d1a19a3c90842

Download Submit
C:\Users\Admin\Downloads\sQws.exe

Filesize
203KB

MD5
4fbe5421b33d0068ab79aa12b9fd2c96

SHA1
6a2900ef243133df89983aa09497ac810c6b1cde

SHA256
a8d4d669a406806dcf995764d26cbfdf32fc7365a44512e01209f07a3cccb1e7

SHA512
d4546db22c98c761c8704facec3a87f188700eaff1bc23afcc58cb5e6cfea3960290d46b3ac3c2306ac82b497323b9a493e6bec45874f41f063ac53ecdb9779a

Download Submit
C:\Users\Admin\Downloads\sYEc.exe

Filesize
196KB

MD5
8d48273f0a71f49dbcdd37f43dc22a49

SHA1
2bcf30ae22417794492fe252893acdaa5adfdb37

SHA256
9de70759cbb11104d1883911f76c062da937a0a587db65c2391af7877a5452aa

SHA512
3a833d795b7227bdcb269e29cdfcac687c464e14c7b9a9c55b110105429e0ee09cbea967a744ca19e22a82c892b39b78cfca6ed3e1fadc9219e4d52288299352

Download Submit
C:\Users\Admin\Downloads\ssMk.exe

Filesize
658KB

MD5
2f4a863711ff193bfd752c3cdf4dd470

SHA1
fc4bce5088476eef8483193ef5610722f3133ea8

SHA256
158110b42fa37875d09860d31d62b01700bc3938ff4a5a2b2167dd0ffbca7c09

SHA512
3231a815876815fa501bcf864f6337d3b7b9aa9dee05be39ecc3fe70f7bf75d4e405e165697b18f6665ca312ebe88f361030c7cf4649cc6c4b49d5170431ea9b

Download Submit
C:\Users\Admin\Downloads\ssoC.exe

Filesize
205KB

MD5
a47080836a98d8641b22d1815eb6c7af

SHA1
9d4289c24726c68103a808e1351f0b51f4b1eb96

SHA256
d05a7bca3ab76332da3deb57af75bc7ee42ebca76540ce36cc0a5d65188b3042

SHA512
2ff552f22956f769b661c02a8784d06625e98b187bce3571270d85a7ca0caa9880f1afc193a67ebae2c7287d0fadf104c587491a79bea9e8b5fc25313d3f419c

Download Submit
C:\Users\Admin\Downloads\sswM.exe

Filesize
186KB

MD5
adafbb9ffe7b193703ccf5f787811395

SHA1
f0470296c0e3eb1a454a8d8ae12b8b25a61b2e13

SHA256
aa3c461e9725d7f457a557355d9f740b143234354e3374a9b5033aecceffd371

SHA512
ad016761159a84d71b291c42cb89ef5b0ff430c92b23fced5161d0d7e1c6467c712eb02569f7835f93dbf0dc5b044c1565c1dc22224ea9112d4957812e5f536a

Download Submit
C:\Users\Admin\Downloads\uAkk.ico

Filesize
4KB

MD5
34460862c89281546603585eba87f992

SHA1
c00e6558b839be12b54316e87116042454cccbd2

SHA256
bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620

SHA512
b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67

Download Submit
C:\Users\Admin\Downloads\uEcM.exe

Filesize
823KB

MD5
9ee98cab2d989a8bc5a0e29d3ab1c0b7

SHA1
29112fc6a28c398c8f89a07f14f7ca0f25beb3fd

SHA256
30e750765e10cac92cf2609a78c6cfe6f6c1c134ef16f5026f6d00f9c220054a

SHA512
1f6dd693ffa6894d4bfaf6d9abcb037c3d0ca6fbda6768b6dee9f690e0c971bea96b0379136b821fc9c17ac184fb52854b241f22affd75d84590a732350a4a06

Download Submit
C:\Users\Admin\Downloads\uYIu.exe

Filesize
198KB

MD5
41dc4f88aa32920ec8f946961de4f2c8

SHA1
5f9b3a5610ce9499bc228fff9581bee4f2b99240

SHA256
232693cef0befbb169ac6a6613b5a794c0d13cb661cf6a11f86b0808e88472a2

SHA512
d00af317ceaf19f370ed28646cc2f1e69dcbf9312c03e0672d7612da45653e3d4f163feb20609c7dee82635e47a1d2dff43a398ad346a24d40442819507bed56

Download Submit
C:\Users\Admin\Downloads\ucMm.exe

Filesize
222KB

MD5
e7d6463b67faacf2439b51b4beb5364b

SHA1
952f5fbdcde57dbc631d77d2311504091578f6e2

SHA256
e1593ae1261668dc19e8ad58a1051c9fa640841467ee3329ff6861ce71553bde

SHA512
042754f8a8ccfc15b0b238de175f71ac39c01780a746138e1f446c2ab1ee2e0599125131e931772dc7b09d264cb0007e3670b4f034dd18116599b115020eef96

Download Submit
C:\Users\Admin\Downloads\uwso.exe

Filesize
197KB

MD5
aa4c2977cdc698c5ca1d19a7ddf5bf82

SHA1
9b5c4ddbf15441f98fa2880dd4282c7539ea57f1

SHA256
6849bbf59cc42dcea4cd3f2b236051c63728fb64c3ae67c7c4f1401e43c4018d

SHA512
202b75e89843c14a9a27505b02d9a3af83a9fcaa79e3d33bf6119e48833e9b92c7084a27f486a013141bf2f6eb6968a2462fd9492226d9d54d59ff9991620dd9

Download Submit
C:\Users\Admin\Downloads\wAAE.exe

Filesize
191KB

MD5
4a090bc675b349604b3f5615438822c8

SHA1
0a5649b0c7cff437c972609c0a7b9bb4a8f9dedb

SHA256
e98df52b4838deb47577a88b35496d73787c2afa2de8920f1c34b72cfeed2707

SHA512
7449cfb889561dbc0177c781ae3152715e8c1a71ede4cc1ef450ab472f256df0eac1f138425c8bd74ab58361cfb6fd38ab196d4d5e0403a5f5e3ce246f000cc3

Download Submit
C:\Users\Admin\Downloads\wAUk.exe

Filesize
197KB

MD5
bad31438ba5da52d3735d1cbecec9522

SHA1
549ea03a0e9378a7951299fd0fc8ef20234df9b0

SHA256
e26be95532b9a2051949c0b331db41ecf6a66549ad945c631b425ce78aa056a6

SHA512
22cdc26fc845fa672bdbaaf21878bd8278836e897f7cba150f3580b02ff9c93ace7f4cdd989dc869859d99c80534df3379362e94c0a1a52be12b0525eb4b56d0

Download Submit
C:\Users\Admin\Downloads\wQwa.exe

Filesize
803KB

MD5
383615cf75cc52f7e4ca8eb1afdac969

SHA1
144772abdb413aa51adc231c33683bc5a5db02de

SHA256
807d4b403476c2dfdbc143c8c9a179e7c7edfc879a4dd25157e91b856b83fc76

SHA512
08dc544bc274c96b3977c4301c83f92d83dae6850505a36a63cc4e009606f345778aadfced5db16ca6ac142306dc599483bcfa8785cafbcd7bd285b6ee180daf

Download Submit
C:\Users\Admin\Downloads\wcQS.exe

Filesize
204KB

MD5
11a33f76d1186aa6405906eab4b399c6

SHA1
f14498356c47d6438e7c599c34d251fb2ab55e62

SHA256
48d84aec1d91926f252d3cddbb0fb45e151313e7ce8511004094680299cd63d4

SHA512
87d194d9d81b9464790a9a77a07db601acbec5dade759e2b7a92274fc0200dc334cf388e83c69448c9438b271c02b69558c308e600a882d78247db529e2365f0

Download Submit
C:\Users\Admin\Downloads\woMI.exe

Filesize
231KB

MD5
94847a4962dba10563b72ac92694770e

SHA1
7c1bf6f4641969e103f0384031538f4bf598ead7

SHA256
69213760ef81f4d0a42d7fb5ab032d6e9ca54edf2c086068b8a5df4a71479d3b

SHA512
4d0c46006ac5957dff5f8786d39365f0f3f17729d1756b72e9a0cefb8dafafe69c0e119bb742256f40bc7511f982a77b2888c0565a564ef4debe905fbc44836b

Download Submit
C:\Users\Admin\Downloads\wwEI.exe

Filesize
815KB

MD5
a24a0384b6d19a987fc7e52138f52443

SHA1
17f57efb0e8cd05e2ba8117947066da9cc15ef38

SHA256
a08635eda9b2df52d0bf406a89e170850d17c4374e94a8ff9f7a6ab92674b4c8

SHA512
6da966f743c8c09487818e961c0470b0deaac3335f69f3532da6319647f3bc7fc9dc80ff86300f7a47bf45c62733e29458e1f60d89872a59d6126a2ab35ec5cd

Download Submit
C:\Users\Admin\Downloads\yIYY.exe

Filesize
833KB

MD5
b21c855b4a9963f7d9fdde7d6479c9da

SHA1
b673466439afabf9f55d0387fea2c6d97af3c9b7

SHA256
99f0d78f88bf9ad0d6cf5b2c0cb1e5e8f8a3e8984c473293c014e6d1a20bbf10

SHA512
06ed19585666206d746d52a3b7aa1b3e6b4505e2d60557e06c797218445ab5a27ed1ab0f19685a07e09e2e97669a9713d4b4a804b2165751d0dff7329a8fb77e

Download Submit
C:\Users\Admin\oUoIwYkk\UKUEYMsg.exe

Filesize
203KB

MD5
53d990d0ac138274909244fcd8801726

SHA1
75c67cd4c4c00abe625d28bc946cc02a87eacffe

SHA256
1d01efd44f46baa70cba1ba9dca24da7979fe2722936800af2994656ea6e3040

SHA512
d60978e53e33971abaed3ccc6604f844e2a7acab6faf531663d4876a01701900dedaf45f1ef589f89c235757f5bb7b732bf67bf6e9993a10a5c6ce9934c58bef

Download Submit
memory/224-1314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/560-1026-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-1301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-852-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/844-1165-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/844-1163-0x00000000053D0000-0x0000000005976000-memory.dmp

Filesize
5.6MB

Download
memory/844-1161-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/844-1174-0x0000000004F20000-0x0000000004F76000-memory.dmp

Filesize
344KB

Download
memory/844-1162-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/844-1172-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/916-570-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/960-1008-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/960-734-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/980-700-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-973-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1084-980-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1088-1208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1088-971-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-652-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-640-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1476-937-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-1134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-860-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1576-953-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1576-1175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1576-1199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-945-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-1058-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-742-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-584-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-755-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1944-766-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1944-572-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1952-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-911-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2196-1150-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-1173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-842-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-1035-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-1160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-994-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-775-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2732-761-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2780-610-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-1076-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-794-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-961-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2892-1103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3176-692-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3292-919-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3344-682-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3404-893-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-1116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-774-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-786-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-1142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-868-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-641-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-726-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4012-6941-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-5826-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-6985-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-6964-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-1036-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-7055-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-1041-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-4895-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-7025-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-1044-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-1042-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-1592-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-6330-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4012-7004-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4016-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-1124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4048-876-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4080-1031-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4080-1048-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4180-998-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-999-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4184-756-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4192-674-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4192-667-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-885-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4452-621-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4492-1085-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-1016-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-596-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-1068-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-804-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-817-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4740-716-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4740-778-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4740-754-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4756-826-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4812-765-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-665-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-651-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4908-708-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4936-802-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-557-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-537-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5012-752-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5012-901-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5012-997-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5012-1000-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5024-927-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-1095-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-1084-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5092-834-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download