agenttesla | f4a36624bc6e4f44a63cea12250bf3e1d076ecd34c6e40db1637dd35b43e4fce

Analysis

max time kernel
418s
max time network
423s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00452.7z
Size

154.2MB
MD5

a51b6e3f4c11032eb72fa4919ffd361b
SHA1

5dcce1b18af81a7a29b78d42c0a7fa4aa6c76d59
SHA256

f4a36624bc6e4f44a63cea12250bf3e1d076ecd34c6e40db1637dd35b43e4fce
SHA512

082eee741b2cd19ea7a22a709b2f211bf9395867481b50c7c7931be35bca5b220a3e2f6d1398dcf7d3a260b002736b588070d5f3c60ffcb6ac1eed368fe03667
SSDEEP

3145728:da7Y6grXgeK+IDG8BTMzDTKhBK4PnNgsSeSX/+Zp1o7ll5et8lmShOr:gY6okFBKDKP8eSP+ZPWllsuq

Score

10^/10

agenttesla chaos njrat grand hacked agilenet aspackv2 discovery evasion execution keylogger ransomware spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.maiching.com
Port:
587
Username:
[email protected]
Password:
Flo23@ret123

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

blackhacked.ddns.net:5555

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Extracted

Family

njrat

Version

0.7d

Botnet

grand

q8404.ddns.net:401

Mutex

d791e17fd2e3d751bcf913a0d3b90860

Attributes

reg_key
d791e17fd2e3d751bcf913a0d3b90860
splitter
|'|'|

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d0c-314.dat	family_chaos
behavioral1/memory/4756-388-0x00000000008E0000-0x00000000008EC000-memory.dmp	family_chaos

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2848-569-0x0000000000600000-0x000000000063C000-memory.dmp	family_agenttesla

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/4336-536-0x0000000005350000-0x00000000053E6000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/4336-536-0x0000000005350000-0x00000000053E6000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
10892	powershell.exe
12672	powershell.exe
6224	powershell.exe
9672	powershell.exe
13600	powershell.exe
9876	powershell.exe
10800	powershell.exe
8284	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6316	netsh.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023e73-7099.dat	aspack_v212_v242
behavioral1/files/0x0007000000023e9b-7426.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe

Executes dropped EXE 6 IoCs

pid	Process
4952	HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
1016	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0c30ceffe341c698817521cdc7fbf5260a1a71506e0b5fe15b5d0456129784ba.exe
3688	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe
3900	HEUR-Trojan-Ransom.MSIL.Blocker.gen-45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28.exe
5008	HEUR-Trojan-Ransom.MSIL.Blocker.gen-496c4ad737388082211f603dbaf76d3a2d62a8ae89756111bba485f06e2ae32b.exe
1332	HEUR-Trojan-Ransom.MSIL.Blocker.gen-666ad19d894f1962b6b8b4893a9d88ae6e95a7f7f19c596b784bfca4a4b1b948.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/3900-483-0x0000000006E90000-0x0000000006EB8000-memory.dmp	agile_net

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000023d01-480.dat	vmprotect
behavioral1/memory/4336-482-0x0000000000730000-0x0000000000A14000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
62	discord.com
63	discord.com
67	discord.com
70	discord.com
71	discord.com
250	raw.githubusercontent.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	api.ipify.org
74	api64.ipify.org
75	api64.ipify.org
201	checkip.dyndns.org
208	freegeoip.app
209	freegeoip.app
241	freegeoip.app
59	api.ipify.org

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023d42-390.dat	upx
behavioral1/memory/2520-456-0x0000000000400000-0x00000000007C0000-memory.dmp	upx
behavioral1/memory/5396-517-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0007000000023ca5-516.dat	upx
behavioral1/files/0x000a000000023d52-608.dat	upx
behavioral1/files/0x0007000000023ca8-666.dat	upx
behavioral1/memory/2520-669-0x0000000000400000-0x00000000007C0000-memory.dmp	upx
behavioral1/memory/5396-800-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/2520-5155-0x0000000000400000-0x00000000007C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
5280	4336	WerFault.exe	126
10320	264	WerFault.exe	134
10480	264	WerFault.exe	134
12644	5012	WerFault.exe	177
12532	1332	WerFault.exe	104
12780	3304	WerFault.exe	197
5480	7340	WerFault.exe	207
9972	7124	WerFault.exe	253
5488	12984	WerFault.exe	434
13440	9996	WerFault.exe	467
11332	12540	WerFault.exe	528
3012	9640	WerFault.exe	564
2016	6916	WerFault.exe	570
10452	11008	WerFault.exe	576

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0c30ceffe341c698817521cdc7fbf5260a1a71506e0b5fe15b5d0456129784ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-496c4ad737388082211f603dbaf76d3a2d62a8ae89756111bba485f06e2ae32b.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000023e25-6148.dat	nsis_installer_1
behavioral1/files/0x0007000000023e25-6148.dat	nsis_installer_2
behavioral1/files/0x0007000000023e39-6212.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5248	taskkill.exe
5620	taskkill.exe
3216	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
9408	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
12692	schtasks.exe
4032	schtasks.exe
9560	schtasks.exe
7496	schtasks.exe
7676	schtasks.exe
11864	schtasks.exe
740	schtasks.exe
13508	schtasks.exe
8408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
2552	powershell.exe
2552	powershell.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4024	7zFM.exe
3500	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	4024	7zFM.exe
Token: 35	4024	7zFM.exe
Token: SeSecurityPrivilege	4024	7zFM.exe
Token: SeDebugPrivilege	4656	taskmgr.exe
Token: SeSystemProfilePrivilege	4656	taskmgr.exe
Token: SeCreateGlobalPrivilege	4656	taskmgr.exe
Token: SeDebugPrivilege	3500	taskmgr.exe
Token: SeSystemProfilePrivilege	3500	taskmgr.exe
Token: SeCreateGlobalPrivilege	3500	taskmgr.exe
Token: 33	4656	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4656	taskmgr.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3688	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe
Token: SeDebugPrivilege	3900	HEUR-Trojan-Ransom.MSIL.Blocker.gen-45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4024	7zFM.exe
4024	7zFM.exe
4024	7zFM.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
4656	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe
3500	taskmgr.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3500	4656	taskmgr.exe	88
PID 4656 wrote to memory of 3500	4656	taskmgr.exe	88
PID 2552 wrote to memory of 1908	2552	powershell.exe	95
PID 2552 wrote to memory of 1908	2552	powershell.exe	95
PID 1908 wrote to memory of 4952	1908	cmd.exe	97
PID 1908 wrote to memory of 4952	1908	cmd.exe	97
PID 1908 wrote to memory of 4952	1908	cmd.exe	97
PID 1908 wrote to memory of 1016	1908	cmd.exe	98
PID 1908 wrote to memory of 1016	1908	cmd.exe	98
PID 1908 wrote to memory of 1016	1908	cmd.exe	98
PID 1908 wrote to memory of 3688	1908	cmd.exe	99
PID 1908 wrote to memory of 3688	1908	cmd.exe	99
PID 3688 wrote to memory of 3188	3688	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe	100
PID 3688 wrote to memory of 3188	3688	HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe	100
PID 1908 wrote to memory of 3900	1908	cmd.exe	101
PID 1908 wrote to memory of 3900	1908	cmd.exe	101
PID 1908 wrote to memory of 3900	1908	cmd.exe	101
PID 1908 wrote to memory of 5008	1908	cmd.exe	103
PID 1908 wrote to memory of 5008	1908	cmd.exe	103
PID 1908 wrote to memory of 5008	1908	cmd.exe	103
PID 1908 wrote to memory of 1332	1908	cmd.exe	104
PID 1908 wrote to memory of 1332	1908	cmd.exe	104
PID 1908 wrote to memory of 1332	1908	cmd.exe	104

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00452.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4952
  - - C:\Users\Admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exe
      "C:\Users\Admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exe"
      4⤵
      PID:3284
  - - C:\Users\Admin\AppData\Roaming\seop.exe
      "C:\Users\Admin\AppData\Roaming\seop.exe"
      4⤵
      PID:4756
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        
        PID:11560
  - - C:\Users\Admin\AppData\Roaming\NSIS Quick Setup Script Generator.exe
      "C:\Users\Admin\AppData\Roaming\NSIS Quick Setup Script Generator.exe"
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\helper.bat
      4⤵
      PID:400
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
        5⤵
        Kills process with taskkill
        
        PID:5248
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0c30ceffe341c698817521cdc7fbf5260a1a71506e0b5fe15b5d0456129784ba.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-0c30ceffe341c698817521cdc7fbf5260a1a71506e0b5fe15b5d0456129784ba.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5880
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7672
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7672" "2176" "2144" "2180" "0" "0" "2184" "0" "0" "0" "0" "0"
        5⤵
        
        PID:8152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7308
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7308" "1828" "1936" "1688" "0" "0" "684" "0" "0" "0" "0" "0"
        5⤵
        
        PID:12876
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8856
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8856" "2216" "2184" "2220" "0" "0" "2224" "0" "0" "0" "0" "0"
        5⤵
        
        PID:12400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12156
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "12156" "1916" "1856" "1920" "0" "0" "1924" "0" "0" "0" "0" "0"
        5⤵
        
        PID:7020
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8628
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8628" "1920" "1852" "1924" "0" "0" "1928" "0" "0" "0" "0" "0"
        5⤵
        
        PID:10860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11124
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7956
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\o5ezh3ww.inf
      4⤵
      PID:3188
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      4⤵
      PID:2848
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-496c4ad737388082211f603dbaf76d3a2d62a8ae89756111bba485f06e2ae32b.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-496c4ad737388082211f603dbaf76d3a2d62a8ae89756111bba485f06e2ae32b.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:4620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:2236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:13072
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "13072" "1908" "1864" "1912" "0" "0" "1916" "0" "0" "0" "0" "0"
        5⤵
        
        PID:14316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10132
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "10132" "1908" "1848" "1912" "0" "0" "1916" "0" "0" "0" "0" "0"
        5⤵
        
        PID:10604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7176
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12084
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-666ad19d894f1962b6b8b4893a9d88ae6e95a7f7f19c596b784bfca4a4b1b948.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-666ad19d894f1962b6b8b4893a9d88ae6e95a7f7f19c596b784bfca4a4b1b948.exe
    3⤵
    - Executes dropped EXE
    PID:1332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6276
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6276" "2144" "2120" "2156" "0" "0" "2152" "0" "0" "0" "0" "0"
        5⤵
        
        PID:11316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 2024
        5⤵
        Program crash
        
        PID:5480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7132
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7132" "2164" "2132" "2168" "0" "0" "2172" "0" "0" "0" "0" "0"
        5⤵
        
        PID:8172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6516
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6516" "1752" "1972" "1792" "0" "0" "1796" "0" "0" "0" "0" "0"
        5⤵
        
        PID:12408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10232
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8924
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8924" "1952" "1756" "1956" "0" "0" "1960" "0" "0" "0" "0" "0"
        5⤵
        
        PID:14216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12280
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "12280" "1988" "1928" "1992" "0" "0" "1996" "0" "0" "0" "0" "0"
        5⤵
        
        PID:14088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1780
      4⤵
      Program crash
      PID:12532
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-67152254088a7f5078b66dc6b0361f1a17f6491d471f2b8a0eba2ff7b75b213e.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-67152254088a7f5078b66dc6b0361f1a17f6491d471f2b8a0eba2ff7b75b213e.exe
    3⤵
    PID:2204
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-be57e92dab62d37d99cf735fd0d865cd4da2ecad19f181f24acd574f99da3515.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-be57e92dab62d37d99cf735fd0d865cd4da2ecad19f181f24acd574f99da3515.exe
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WSNI" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security notification icon.exe"
      4⤵
      PID:5524
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WSNI" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security notification icon.exe"
        5⤵
        
        PID:6148
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security notification icon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security notification icon.exe"
      4⤵
      PID:13532
    - - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        5⤵
        
        PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe"
        5⤵
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe"
        6⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe"
        7⤵
        
        PID:14156
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe"
        5⤵
        
        PID:2236
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c14b1bd8f5c3d761cf492341a90bbc0933239761214e1badf00cf07c6636d3df.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-c14b1bd8f5c3d761cf492341a90bbc0933239761214e1badf00cf07c6636d3df.exe
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 2152
        5⤵
        Program crash
        
        PID:12780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8788
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6024
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9224
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "9224" "2040" "1980" "2044" "0" "0" "2052" "0" "0" "0" "0" "0"
        5⤵
        
        PID:11700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11936
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "11936" "1376" "1316" "1380" "0" "0" "1384" "0" "0" "0" "0" "0"
        5⤵
        
        PID:10204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:13064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11956
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d69ae5cfa4a2c22a7a418c345089121dc582a2178313c17c0ae077bad87be2a5.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-d69ae5cfa4a2c22a7a418c345089121dc582a2178313c17c0ae077bad87be2a5.exe
    3⤵
    PID:264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 2308
        5⤵
        Program crash
        
        PID:12644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5924
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5924" "1996" "1924" "2000" "0" "0" "2004" "0" "0" "0" "0" "0"
        5⤵
        
        PID:12764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 2032
        5⤵
        Program crash
        
        PID:9972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9248
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:12164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 1184
      4⤵
      Program crash
      PID:10320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 1184
      4⤵
      Program crash
      PID:10480
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-49f9b3d790fafaa873863bbc1e735064eb1b18f0cba749264619c69be3cd1a1c.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-49f9b3d790fafaa873863bbc1e735064eb1b18f0cba749264619c69be3cd1a1c.exe
    3⤵
    PID:5396
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Cuba.gen-9795ca37e543c81b20cb71946b1ab8432bcdce82f2a48bfa3483ac17d1e84346.exe
    HEUR-Trojan-Ransom.Win32.Cuba.gen-9795ca37e543c81b20cb71946b1ab8432bcdce82f2a48bfa3483ac17d1e84346.exe
    3⤵
    PID:5900
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-0b13cb4811cf7b0814edd206845689c9fb56a9ea6827ab445779a6b4ae96e45a.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-0b13cb4811cf7b0814edd206845689c9fb56a9ea6827ab445779a6b4ae96e45a.exe
    3⤵
    PID:5776
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Generic-dae52d405c20aa48eeb273baa9d8055450c9fcf7e465b5e02c841722c763cf9d.exe
    HEUR-Trojan-Ransom.Win32.Generic-dae52d405c20aa48eeb273baa9d8055450c9fcf7e465b5e02c841722c763cf9d.exe
    3⤵
    PID:8352
  - - C:\Users\Admin\Downloads\diagsvc.exe
      "C:\Users\Admin\Downloads\diagsvc.exe"
      4⤵
      PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\new.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\new.exe"
        5⤵
        
        PID:12180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pass.exe /stext winlib.txt
        6⤵
        
        PID:12720
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Generic-e44c11fa52cccf54dedba94afb4fd2fec9aafde8074e15f98a9bbf2bdbb71ca0.exe
    HEUR-Trojan-Ransom.Win32.Generic-e44c11fa52cccf54dedba94afb4fd2fec9aafde8074e15f98a9bbf2bdbb71ca0.exe
    3⤵
    PID:8896
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      4⤵
      PID:8564
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:11344
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Stop.gen-15ea8f482fa4a5d5a4a99def4bfd3a4a5956f77749a1fd0cbdb8fd2d44fefa99.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-15ea8f482fa4a5d5a4a99def4bfd3a4a5956f77749a1fd0cbdb8fd2d44fefa99.exe
    3⤵
    PID:9660
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
    HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
    3⤵
    PID:9688
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wbZoXNZeXZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6525.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7496
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe"
      4⤵
      PID:13472
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe"
      4⤵
      PID:4340
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe"
      4⤵
      PID:5208
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe"
      4⤵
      PID:12604
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe"
      4⤵
      PID:13412
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-04e479716eb43333c43bbdb25c221c487ba9bb73f291bf20817285e7363420bb.exe
    HEUR-Trojan.MSIL.Crypt.gen-04e479716eb43333c43bbdb25c221c487ba9bb73f291bf20817285e7363420bb.exe
    3⤵
    PID:8164
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-27b58a2d4004d6d5e45ff1d83ed06838b8d8ea9aa18a747c45e826fe0404207c.exe
    HEUR-Trojan.MSIL.Crypt.gen-27b58a2d4004d6d5e45ff1d83ed06838b8d8ea9aa18a747c45e826fe0404207c.exe
    3⤵
    PID:10656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-27b58a2d4004d6d5e45ff1d83ed06838b8d8ea9aa18a747c45e826fe0404207c.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:9672
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-27b58a2d4004d6d5e45ff1d83ed06838b8d8ea9aa18a747c45e826fe0404207c.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-27b58a2d4004d6d5e45ff1d83ed06838b8d8ea9aa18a747c45e826fe0404207c.exe"
      4⤵
      PID:11008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11008 -s 1760
        5⤵
        Program crash
        
        PID:10452
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-2895b7c080d97dc9b129910393ba0242425edc6c0e7f373a3f4275761be98800.exe
    HEUR-Trojan.MSIL.Crypt.gen-2895b7c080d97dc9b129910393ba0242425edc6c0e7f373a3f4275761be98800.exe
    3⤵
    PID:8060
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-29949bcafb8c11fc147a1e90a7f1564f67d59946d0ed0f7ca600a5388f7ab352.exe
    HEUR-Trojan.MSIL.Crypt.gen-29949bcafb8c11fc147a1e90a7f1564f67d59946d0ed0f7ca600a5388f7ab352.exe
    3⤵
    PID:6136
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-29949bcafb8c11fc147a1e90a7f1564f67d59946d0ed0f7ca600a5388f7ab352.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-29949bcafb8c11fc147a1e90a7f1564f67d59946d0ed0f7ca600a5388f7ab352.exe"
      4⤵
      PID:6668
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-29949bcafb8c11fc147a1e90a7f1564f67d59946d0ed0f7ca600a5388f7ab352.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-29949bcafb8c11fc147a1e90a7f1564f67d59946d0ed0f7ca600a5388f7ab352.exe"
      4⤵
      PID:11648
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-316ec59af20f9d52ee5ecd239a64958e78abf499fcc2111b52ec0870bc2c3088.exe
    HEUR-Trojan.MSIL.Crypt.gen-316ec59af20f9d52ee5ecd239a64958e78abf499fcc2111b52ec0870bc2c3088.exe
    3⤵
    PID:6012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:13256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:12540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12540 -s 1084
        5⤵
        Program crash
        
        PID:11332
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-499114c13d27e90dc6aa8b599a5e2e992ce23ec00926fd6ca544bdc2dea5ebd7.exe
    HEUR-Trojan.MSIL.Crypt.gen-499114c13d27e90dc6aa8b599a5e2e992ce23ec00926fd6ca544bdc2dea5ebd7.exe
    3⤵
    PID:13184
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-499114c13d27e90dc6aa8b599a5e2e992ce23ec00926fd6ca544bdc2dea5ebd7.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-499114c13d27e90dc6aa8b599a5e2e992ce23ec00926fd6ca544bdc2dea5ebd7.exe"
      4⤵
      PID:8344
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-4d21a917b5926ddf08d9731bb09e51f1f6ff74551020daef49f094586b82b545.exe
    HEUR-Trojan.MSIL.Crypt.gen-4d21a917b5926ddf08d9731bb09e51f1f6ff74551020daef49f094586b82b545.exe
    3⤵
    PID:12208
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-4dd8126bebeef5fa30860ab3c081047d362c9a147a17a7824f15a3e1d4082f32.exe
    HEUR-Trojan.MSIL.Crypt.gen-4dd8126bebeef5fa30860ab3c081047d362c9a147a17a7824f15a3e1d4082f32.exe
    3⤵
    PID:12984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12984 -s 1920
      4⤵
      Program crash
      PID:5488
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-5c1f3c2b8b23343742792e56bd525ffc26f5524b74ae551cec0b6f99cafade48.exe
    HEUR-Trojan.MSIL.Crypt.gen-5c1f3c2b8b23343742792e56bd525ffc26f5524b74ae551cec0b6f99cafade48.exe
    3⤵
    PID:5344
  - - C:\Users\Admin\AppData\Roaming\4c07930c-bc71-98ba-0001-413b43040f88\4c07930c-bc71-98ba-0001-413b43040f88.exe
      "C:\Users\Admin\AppData\Roaming\4c07930c-bc71-98ba-0001-413b43040f88\4c07930c-bc71-98ba-0001-413b43040f88.exe"
      4⤵
      PID:4184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:11408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C REG ADD HKLM\Software\483b0a67-34c0-05b6-9f22-ddbd5f07cd45 /f /v 483b0a67-34c0-05b6-9f22-ddbd5f07cd45 /t REG_MULTI_SZ /d C:\Users\Admin\AppData\Roaming\483b0a67-34c0-05b6-9f22-ddbd5f07cd45\483b0a67-34c0-05b6-9f22-ddbd5f07cd45.exe
        5⤵
        
        PID:13888
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD HKLM\Software\483b0a67-34c0-05b6-9f22-ddbd5f07cd45 /f /v 483b0a67-34c0-05b6-9f22-ddbd5f07cd45 /t REG_MULTI_SZ /d C:\Users\Admin\AppData\Roaming\483b0a67-34c0-05b6-9f22-ddbd5f07cd45\483b0a67-34c0-05b6-9f22-ddbd5f07cd45.exe
        6⤵
        Modifies registry key
        
        PID:9408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        
        PID:2200
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-748b8c8536ce722dc8e212550230d966b7f15f939e2ed6f42cc2c411e6b31458.exe
    HEUR-Trojan.MSIL.Crypt.gen-748b8c8536ce722dc8e212550230d966b7f15f939e2ed6f42cc2c411e6b31458.exe
    3⤵
    PID:5844
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-7c0682a83d5ed678505c44d87b87015dad162ebadc6b6c9cf26522daeb5ce507.exe
    HEUR-Trojan.MSIL.Crypt.gen-7c0682a83d5ed678505c44d87b87015dad162ebadc6b6c9cf26522daeb5ce507.exe
    3⤵
    PID:10028
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-8123d4dfdc31d3c1cfe64ef29c44a24683d29bccb95d4b32a98091509ced74d9.exe
    HEUR-Trojan.MSIL.Crypt.gen-8123d4dfdc31d3c1cfe64ef29c44a24683d29bccb95d4b32a98091509ced74d9.exe
    3⤵
    PID:5868
  - - C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
      4⤵
      PID:4560
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-81c1473be0c7918526b069ffdb406320073b511167b9455cbde75feadad6fdcb.exe
    HEUR-Trojan.MSIL.Crypt.gen-81c1473be0c7918526b069ffdb406320073b511167b9455cbde75feadad6fdcb.exe
    3⤵
    PID:4512
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-81c1473be0c7918526b069ffdb406320073b511167b9455cbde75feadad6fdcb.exe
      "{path}"
      4⤵
      PID:8496
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-88dfd0abf5c882dc62a8f6749c73aff3b6e34e092d22b0ba7428619f1f27065c.exe
    HEUR-Trojan.MSIL.Crypt.gen-88dfd0abf5c882dc62a8f6749c73aff3b6e34e092d22b0ba7428619f1f27065c.exe
    3⤵
    PID:8804
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-8bd1873ddab51dd81165cd8c8b5d6c26aeb0bca4bb4ad2b3ead7023c9dda3f38.exe
    HEUR-Trojan.MSIL.Crypt.gen-8bd1873ddab51dd81165cd8c8b5d6c26aeb0bca4bb4ad2b3ead7023c9dda3f38.exe
    3⤵
    PID:11056
  - - C:\Users\Admin\AppData\Local\Temp\wirelessdriver.exe
      "C:\Users\Admin\AppData\Local\Temp\wirelessdriver.exe"
      4⤵
      PID:14164
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-a50bd1793d64a299f651526a84ef880ef9757558a9fabe9c5747eb0840805755.exe
    HEUR-Trojan.MSIL.Crypt.gen-a50bd1793d64a299f651526a84ef880ef9757558a9fabe9c5747eb0840805755.exe
    3⤵
    PID:9472
  - - C:\Users\Admin\Desktop\00452\p‮‮oci.snas.exe
      "C:\Users\Admin\Desktop\00452\p‮‮oci.snas.exe"
      4⤵
      PID:8592
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\jhjmvo3l.inf
        5⤵
        
        PID:3852
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-a595541daeeb29aabb7749fba9581fd3eef3ecf5079e2b1707118662da15a708.exe
    HEUR-Trojan.MSIL.Crypt.gen-a595541daeeb29aabb7749fba9581fd3eef3ecf5079e2b1707118662da15a708.exe
    3⤵
    PID:5736
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-aee789c42cef17ae40755cda1199bc5b66b9b7fad941d7ca5e885e45dd7f0e94.exe
    HEUR-Trojan.MSIL.Crypt.gen-aee789c42cef17ae40755cda1199bc5b66b9b7fad941d7ca5e885e45dd7f0e94.exe
    3⤵
    PID:11680
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-b354d4ece5cb665fad6633fa39096aee52c02f84416e6113a3159484821721b1.exe
    HEUR-Trojan.MSIL.Crypt.gen-b354d4ece5cb665fad6633fa39096aee52c02f84416e6113a3159484821721b1.exe
    3⤵
    PID:12492
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:7636
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:6316
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-b7beab0b8d66f2d95f883618761eb69038a8efc93bdcf88143d8e8c5ca785562.exe
    HEUR-Trojan.MSIL.Crypt.gen-b7beab0b8d66f2d95f883618761eb69038a8efc93bdcf88143d8e8c5ca785562.exe
    3⤵
    PID:7792
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-c0d2667a3fa9f499b259c1658c496455778205351566eb78126fd46c849a6d3e.exe
    HEUR-Trojan.MSIL.Crypt.gen-c0d2667a3fa9f499b259c1658c496455778205351566eb78126fd46c849a6d3e.exe
    3⤵
    PID:5912
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-c0d2667a3fa9f499b259c1658c496455778205351566eb78126fd46c849a6d3e.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-c0d2667a3fa9f499b259c1658c496455778205351566eb78126fd46c849a6d3e.exe"
      4⤵
      PID:6184
  - - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-c0d2667a3fa9f499b259c1658c496455778205351566eb78126fd46c849a6d3e.exe
      "C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-c0d2667a3fa9f499b259c1658c496455778205351566eb78126fd46c849a6d3e.exe"
      4⤵
      PID:8288
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-cd7b73ce24bbf99c5297347b0a641a2c5c8fa54437e3003eb7083b56661b3ff3.exe
    HEUR-Trojan.MSIL.Crypt.gen-cd7b73ce24bbf99c5297347b0a641a2c5c8fa54437e3003eb7083b56661b3ff3.exe
    3⤵
    PID:9016
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-e0f9c6ee6710ec8ccec8395a103baf9d0bdbb4fbc4a523bcf4fccf96a2babd5f.exe
    HEUR-Trojan.MSIL.Crypt.gen-e0f9c6ee6710ec8ccec8395a103baf9d0bdbb4fbc4a523bcf4fccf96a2babd5f.exe
    3⤵
    PID:9996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9996 -s 1208
      4⤵
      Program crash
      PID:13440
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-eac5bc95dec99144d1bfad928dde0904e8a8d4b77db68ccef7b22db677bab9c1.exe
    HEUR-Trojan.MSIL.Crypt.gen-eac5bc95dec99144d1bfad928dde0904e8a8d4b77db68ccef7b22db677bab9c1.exe
    3⤵
    PID:8516
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-ebd4d7c33ccb4e403709f0ec1860b63e7a001ae4fc5422a3610c2ad1d57956f0.exe
    HEUR-Trojan.MSIL.Crypt.gen-ebd4d7c33ccb4e403709f0ec1860b63e7a001ae4fc5422a3610c2ad1d57956f0.exe
    3⤵
    PID:4604
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-fabba6c34156d791e623c25e3f0ba926a0c5d35da70c78d22f5436fd6a21d974.exe
    HEUR-Trojan.MSIL.Crypt.gen-fabba6c34156d791e623c25e3f0ba926a0c5d35da70c78d22f5436fd6a21d974.exe
    3⤵
    PID:3672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 908
      4⤵
      PID:11436
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-fafd90fa5328fd80232ffc70e02539baec4335e868848a5b0c477d29c47da353.exe
    HEUR-Trojan.MSIL.Crypt.gen-fafd90fa5328fd80232ffc70e02539baec4335e868848a5b0c477d29c47da353.exe
    3⤵
    PID:11728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 860
      4⤵
      PID:13172
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.gen-fbe1eac1d979f32c1f7e8636dfe1ece225637612a4cf1690d68d920067000cbe.exe
    HEUR-Trojan.MSIL.Crypt.gen-fbe1eac1d979f32c1f7e8636dfe1ece225637612a4cf1690d68d920067000cbe.exe
    3⤵
    PID:3696
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Crypt.vho-1763986b3af5a1a093e42a764bf511f18f109444a9cf3e0a3c55570804fd5148.exe
    HEUR-Trojan.MSIL.Crypt.vho-1763986b3af5a1a093e42a764bf511f18f109444a9cf3e0a3c55570804fd5148.exe
    3⤵
    PID:9508
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-47b9b0c2392f774b508124341171bcbc1a4f978314d243521a4148cfdc5e7b4d.exe
    HEUR-Trojan.MSIL.Cryptos.gen-47b9b0c2392f774b508124341171bcbc1a4f978314d243521a4148cfdc5e7b4d.exe
    3⤵
    PID:9248
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\155227~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\155227~1.EXE
      4⤵
      PID:12536
    - - C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe" /S
        5⤵
        
        PID:5324
    - - C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe" /S
        5⤵
        
        PID:6476
    - - C:\Users\Admin\AppData\Local\Temp\Torrent2Exe\T2E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Torrent2Exe\T2E.exe" --sfx "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\155227~1.EXE"
        5⤵
        
        PID:8252
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noadmin.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noadmin.exe
      4⤵
      PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:10064
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13508
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:13844
    - - C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        
        PID:2032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        6⤵
        
        PID:8048
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9560
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        
        PID:2576
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-516ecdae0437f06ce018ad04a61095d410c7dbc6086f91957bd8fa8505ddebfe.exe
    HEUR-Trojan.MSIL.Cryptos.gen-516ecdae0437f06ce018ad04a61095d410c7dbc6086f91957bd8fa8505ddebfe.exe
    3⤵
    PID:6624
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\155227~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\155227~1.EXE
      4⤵
      PID:7464
    - - C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe" /S
        5⤵
        
        PID:11612
    - - C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe" /S
        5⤵
        
        PID:5776
    - - C:\Users\Admin\AppData\Local\Temp\Torrent2Exe\T2E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Torrent2Exe\T2E.exe" --sfx "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\155227~1.EXE"
        5⤵
        
        PID:9548
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\noadmin.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\noadmin.exe
      4⤵
      PID:7144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:11124
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8408
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-519c49e4547b80f7d7c34e55799780979d45e006578c4a71378740ec0849430f.exe
    HEUR-Trojan.MSIL.Cryptos.gen-519c49e4547b80f7d7c34e55799780979d45e006578c4a71378740ec0849430f.exe
    3⤵
    PID:7772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:7964
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12692
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-61a68f4e82b06a3490cfd633b22c28f8ccb3c1611e6feaff3a685467def46554.exe
    HEUR-Trojan.MSIL.Cryptos.gen-61a68f4e82b06a3490cfd633b22c28f8ccb3c1611e6feaff3a685467def46554.exe
    3⤵
    PID:11248
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      4⤵
      PID:10372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8284
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows host" /tr '"c:\windows\system32\windows host.exe"' & exit
      4⤵
      PID:10568
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "windows host" /tr '"c:\windows\system32\windows host.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11864
  - - C:\windows\system32\windows host.exe
      "C:\windows\system32\windows host.exe"
      4⤵
      PID:10300
    - - C:\windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        
        PID:9816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13600
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-72628248498ec849e547de66d88cc603775596f5122a7044b210564183e6fe7e.exe
    HEUR-Trojan.MSIL.Cryptos.gen-72628248498ec849e547de66d88cc603775596f5122a7044b210564183e6fe7e.exe
    3⤵
    PID:14004
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      4⤵
      PID:11984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\windows\system32\services64.exe"' & exit
      4⤵
      PID:12244
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\windows\system32\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:740
  - - C:\windows\system32\services64.exe
      "C:\windows\system32\services64.exe"
      4⤵
      PID:12332
    - - C:\windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        
        PID:7916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9876
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-7aeafa218be002abcd91a4c8be3ffacd86300d6f67831dc0e285228665004a9a.exe
    HEUR-Trojan.MSIL.Cryptos.gen-7aeafa218be002abcd91a4c8be3ffacd86300d6f67831dc0e285228665004a9a.exe
    3⤵
    PID:11292
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      4⤵
      PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\windows\system32\services64.exe"' & exit
      4⤵
      PID:7112
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\windows\system32\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7676
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-d54060553aa02f478afdcd7fd55401c5e5aa49c84459c1a6a73b8687367674d2.exe
    HEUR-Trojan.MSIL.Cryptos.gen-d54060553aa02f478afdcd7fd55401c5e5aa49c84459c1a6a73b8687367674d2.exe
    3⤵
    PID:7480
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      4⤵
      PID:14052
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:13424
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.MSIL.Cryptos.gen-fbf827c12cfda1aff1d89810b5d7ac583149571755f6f1aa61dc6c6f55a7bef3.exe
    HEUR-Trojan.MSIL.Cryptos.gen-fbf827c12cfda1aff1d89810b5d7ac583149571755f6f1aa61dc6c6f55a7bef3.exe
    3⤵
    PID:12484
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      4⤵
      PID:10432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"c:\windows\system32\services32.exe"' & exit
      4⤵
      PID:7968
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"c:\windows\system32\services32.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4032
  - - C:\windows\system32\services32.exe
      "C:\windows\system32\services32.exe"
      4⤵
      PID:9348
    - - C:\windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        
        PID:7652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10800
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.Win32.Crypt.gen-1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff.exe
    HEUR-Trojan.Win32.Crypt.gen-1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff.exe
    3⤵
    PID:8720
  - - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\setup_install.exe"
      4⤵
      PID:9640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_1.exe
        5⤵
        
        PID:7736
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_1.exe
        
        arnatic_1.exe
        6⤵
        
        PID:12472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_2.exe
        5⤵
        
        PID:13344
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_2.exe
        
        arnatic_2.exe
        6⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_3.exe
        5⤵
        
        PID:6912
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_3.exe
        
        arnatic_3.exe
        6⤵
        
        PID:10484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_4.exe
        5⤵
        
        PID:5504
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_4.exe
        
        arnatic_4.exe
        6⤵
        
        PID:7212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_5.exe
        5⤵
        
        PID:8124
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_5.exe
        
        arnatic_5.exe
        6⤵
        
        PID:9100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_6.exe
        5⤵
        
        PID:13432
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_6.exe
        
        arnatic_6.exe
        6⤵
        
        PID:5744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_7.exe
        5⤵
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_7.exe
        
        arnatic_7.exe
        6⤵
        
        PID:12796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c arnatic_8.exe
        5⤵
        
        PID:12728
      - C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\arnatic_8.exe
        
        arnatic_8.exe
        6⤵
        
        PID:13820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9640 -s 532
        5⤵
        Program crash
        
        PID:3012
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.Win32.Crypt.gen-bac4cfb248387db8d1a392530ec983ffd1f0967ef609fa95f7918b653f734795.exe
    HEUR-Trojan.Win32.Crypt.gen-bac4cfb248387db8d1a392530ec983ffd1f0967ef609fa95f7918b653f734795.exe
    3⤵
    PID:6916
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:12876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 296
      4⤵
      Program crash
      PID:2016
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.Win32.Crypt.gen-e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7.exe
    HEUR-Trojan.Win32.Crypt.gen-e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7.exe
    3⤵
    PID:1012
- - C:\Users\Admin\Desktop\00452\HEUR-Trojan.Win32.Crypt.gen-f4cda955a66e6bdf1cc84d40b8f576257e129dc708fc157528716415b34229ff.exe
    HEUR-Trojan.Win32.Crypt.gen-f4cda955a66e6bdf1cc84d40b8f576257e129dc708fc157528716415b34229ff.exe
    3⤵
    PID:8248

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\4tbwniop.exe
1⤵
PID:2156
- C:\Windows\temp\4tbwniop.exe
  C:\Windows\temp\4tbwniop.exe
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1872
    3⤵
    - Program crash
    PID:5280

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4336 -ip 4336
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 9660 -ip 9660
1⤵
PID:9584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 264 -ip 264
1⤵
PID:10572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6432 -ip 6432
1⤵
PID:8216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 7124 -ip 7124
1⤵
PID:8048

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:12452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 12984 -ip 12984
1⤵
PID:13780

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\hiiav414.exe
1⤵
PID:5100
- C:\Windows\temp\hiiav414.exe
  C:\Windows\temp\hiiav414.exe
  2⤵
  PID:7664
- - C:\Windows\temp\hiiav414.exe
    C:\Windows\temp\hiiav414.exe
    3⤵
    PID:7516

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
PID:5620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:12468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 9996 -ip 9996
1⤵
PID:8528

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:7444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 12540 -ip 12540
1⤵
PID:7372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 9640 -ip 9640
1⤵
PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6916 -ip 6916
1⤵
PID:13156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 11008 -ip 11008
1⤵
PID:5768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm.exe

Filesize
1.8MB

MD5
56cc6c643c14c81728b5384c2441f31e

SHA1
a652f93e1156bfa7b9219e934f24788f068c29a8

SHA256
b6bde78091498a2e7023685280f73fe7ef95a51863456a6ef795398068b56e4f

SHA512
18d6550cb7dc29d45a5c4fe769979f75cceb0b9831a94251f31aa93e2df90c082fd0fdb37c36671ff3b7cd79a856b8cdcbe1689bd9faa744bab439131e2d1a4e

Download Submit
C:\ProgramData\kaosdma.txt

Filesize
13B

MD5
17bcf11dc5f1fa6c48a1a856a72f1119

SHA1
873ec0cbd312762df3510b8cccf260dc0a23d709

SHA256
a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

SHA512
9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Crypt.gen-27b58a2d4004d6d5e45ff1d83ed06838b8d8ea9aa18a747c45e826fe0404207c.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
7848291f9332413a0cc4d140f8250032

SHA1
5f3afdd8d8fb70b27cbdd894edbff6b8400e5fea

SHA256
2bc2bc398504fddc7b5fc4099792e87db95cacb4f59e6003cb4241cd58d23421

SHA512
2480d830db8e2c4aa9f4269f017afb6ef1be120ae10af46643e9cb7692a9c0a9739d2df69590011c48e44834482d332fd9288b5239e306b3438ca9e3cb5f2139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
def29ac8e5cffef459c3d64d6bb18fb2

SHA1
ab64966735208644930daf81af0fde24993d7d20

SHA256
1fc6235ced7ccb482365969ccf76b6e54ed12fb3bb09a7bd37e2fa161a09fe57

SHA512
c62966b63c9d7706beb01c9e29b014c2a10307a06defbb3d0137d7af97f211e87140098617a30f1dc0637f9b0e7d008d5f9b88a8cf2c78d3f97450aa77efef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A052A941C88FE11FAA26D5AB94CF1D9\setup.dll

Filesize
5.4MB

MD5
0a6a0e99d0b9cd1cdb8816487986804f

SHA1
6720302495916df413ed666981969bb8b10037c4

SHA256
747e1e95734829357f2afc19b9c94b40fa22ecfd0a754708384e7473220038cb

SHA512
f825b3dfdc1b2504580b02e0da1470d2857408a28e34a401d4bd2a18d086579ebaee0cff09eea03b02ab84274a9e53021fb3b083db70c2656aaca38d0d89260d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0126AFFD\setup_install.exe

Filesize
290KB

MD5
24f3b1679f7a3049704a1f978eb3312b

SHA1
67fd8517197ab2a9b4307423ebfc7fa11bf17d6e

SHA256
28934d8164cb6f9e244768c8167a37597b49b3a5d0818ed5a17deed663dbf527

SHA512
69dc57e10fb822807219f7f65495d0664b9abd96ae9bbc9d92efd32094370d7373a48af5efdf7e81062f437e4843fb1d7155c623f02168a2556efd75bc3ae54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F311B4D\arnatic_1.txt

Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F311B4D\setup_install.exe

Filesize
290KB

MD5
98a17a5e822360822d47bc85b41d848e

SHA1
a3c17b4aac7ca7a0d2df2c6265247db80a22919e

SHA256
667a67e4909a497416814459448eab28ca5643d62bbf187b765b6cdee346ee85

SHA512
349bcf0facbef61a2e1ba7aaf792687efd2d002849b701de9d55f6974d28bc689addb9aaae40f8f831b8703a6b6499c66bb29edbc3a661f493f707a819b2809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe

Filesize
159KB

MD5
da0a36453d53a228f08c511877f36a1a

SHA1
19df96fc111fbded790917c5aea6668f92bb7c99

SHA256
8123d4dfdc31d3c1cfe64ef29c44a24683d29bccb95d4b32a98091509ced74d9

SHA512
df571cbc37bf3d12e16d7244cd8250679386750639ed587683d223b7d40e11393075d423729bf07709a8e1d6728dcfb5e2846dd637bd53845b50113dc7ade956

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\noadmin.exe

Filesize
47KB

MD5
7b3b07629b0297c2fae2438297293922

SHA1
0f8cd22064c98eb72162f67b048091d2b0aa3aa0

SHA256
b40b59bc9f9d83bf1ba32e4346bf628da03e81b0577b59afffd78096be91d933

SHA512
ed9f3d6dedf4ec774ab976ff98ad43261fb469590c11849be1e255243deba48b35594e0f276eee9f71577f2db25cbed197e622ff313f5958dc233a4b8c4ce416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\155227~1.EXE

Filesize
1.6MB

MD5
aadac77a70a13f5f3ca6873724d1c02d

SHA1
11d97fcca6b0e017868eeb4e6b7ed14cf6d668b8

SHA256
7303c1720b90f4f2064b06eab8e5d7dbac6e3effd8b18b934fd23e9c89a08e5a

SHA512
82c8f372fcf76fa01bdd02899ea010e21ad9d1d1b52ea7927d0f8bcd5b09da98a94cc9e360ccb8f71d242cfa2443c60377890c5671573883dacbfc61507a15a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\new.exe

Filesize
2.2MB

MD5
d40ab39bb31acbb9d605090c9c3234bc

SHA1
e69087f366d4ee3c7d4fd9ceddeaaa1dfe0107d3

SHA256
576b4be6237099efddc9392af23ba34e7957c6c60d72411bceb85b59c322003a

SHA512
daf8145b8e2eb28738fe9e1aecd5821699ca634017f4298d3070782d792af308009d9c2c4a0f08cc010d6c82cc324a6cdbe679b14bbf8fe413fe48b88c188fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.0MB

MD5
8c175bea6a8b3cea79e59ec691c5342c

SHA1
55c96d4cbf91ec48b2306ae8263301cee568e6e8

SHA256
d54060553aa02f478afdcd7fd55401c5e5aa49c84459c1a6a73b8687367674d2

SHA512
5255eeafadbe92f26f0c8bca4f6ac2735a4bd02fe8cc10cd6a60eb93e43d204b0f8421a7b41028e2b0d9dfc782d66483864e6208111454fb408202cd55ef9e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2E.$$$\T2ESetup.exe

Filesize
1.5MB

MD5
5daf96e5d63b9e8e0d7fd168f9f0d27f

SHA1
05a2fcf9a0fa01ac255525f8723131263402112f

SHA256
e28f05dddc783351e00ee0a6b0efdf5a7a7777f010690032f7d240340e57f477

SHA512
5c34d70f3f815712338310e1d1bd63c6435c9dabbc543fd769882ab1de2e5b0239fff106748f85801d5e75aab0cc45f517eca682e6f3fae96225d5efa08465f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Torrent2Exe\Torrents\session.state

Filesize
63B

MD5
624ba60b2932ec23983302bed6b8697d

SHA1
032b964fca27b888da00baa2a816c4aac333d400

SHA256
b79b17e64da6872851f636fc36c58c8f33d746dd478f25021cd2a49fc05e2754

SHA512
b36f435e0a9c49029f440f095109f7ba196dd1d71da9273b8670681de801d1f8b91037fb785ee936f5632335bc4283272ec10df55ac115ba9ff4363eb5e8efe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security notification icon.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efais0qn.1jt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdD82D.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst39F4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
68KB

MD5
cfb89120209945db397fb4c4850938d5

SHA1
8e55c860c99692bf579b5613c11c21af18fb02d2

SHA256
b354d4ece5cb665fad6633fa39096aee52c02f84416e6113a3159484821721b1

SHA512
3a5a1399f25053070383fdfc61c04376dc1b7ebdfa460c138dc888e3697f33fccb754d48a8aaebbe1ec13ed384db8f02c09eb6b1d4d247be7dfea5707fbaa95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wirelessdriver.exe

Filesize
117KB

MD5
f29a2053a2d85c9d33511b510fa51892

SHA1
e9156a7f69e5edb61d8f6384fdb8ef7ed04bb73d

SHA256
8bd1873ddab51dd81165cd8c8b5d6c26aeb0bca4bb4ad2b3ead7023c9dda3f38

SHA512
e5683d67e697baacffb25e5d5ff29a1579a009f6d89857ae0116937b95a01f89b0f17d330e574d59b9cf46a0ad26c5e3bc1c8d5d95872e9c2b362addc1b8ef71

Download Submit
C:\Users\Admin\AppData\Roaming\4c07930c-bc71-98ba-0001-413b43040f88\4c07930c-bc71-98ba-0001-413b43040f88.exe

Filesize
410KB

MD5
c841b12d1cf2e0d5a477eb1d47437ccd

SHA1
69a8e4b79ce518abc4e5408baeba16cb1e3cc1ca

SHA256
8ea753b46e75252cbcb626fe386ecb3ab4d60a27a471fec2fa56e0cf3fcf238e

SHA512
603c31dacc5a7a553f61ac3eee562a4b063189284d7f1b3b6142abc39c801a48aeae552b0b6757799984a7fda720a42d754f680fcdfb7c04cbcea88fe9dab243

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
12KB

MD5
e904cf83ece6ea1eeabb1b6436a5c59d

SHA1
948627c80cb63513141e65764b999343058da552

SHA256
535add37994cf32e8a528816a5c6a132c3399c35158938a23576e390c41eb6d7

SHA512
b1b79fb69bf5d753fa5907d2aa41f5039e7b9f5c635996755b0bcc27cf21a2b4dedc49bb325d0bdb819868a8424df52c63731d95a231fa9c5980050acc71e15c

Download Submit
C:\Users\Admin\AppData\Roaming\NSIS Quick Setup Script Generator.exe

Filesize
82KB

MD5
e7eaf7358accd0be1af8b8b1fe1842c3

SHA1
cdba0ec8576cc3ddad9cf721e17aeb4e27584b16

SHA256
216c77b39b9cc4c3c81b65bd792a0fbba5fcbea490d41960c7d3f05c7825e10a

SHA512
9520e96cb63c58b9d3a730c4b855b528d69cfa25c9394bec1a083b41c2c5b7c05567ed5919fef9d07c0364cbf5a02032be5fc3331032b62b68290e3687d22cfe

Download Submit
C:\Users\Admin\AppData\Roaming\helper.bat

Filesize
160B

MD5
68818c233d321e2cbad5d0e1cbea3d36

SHA1
50efc387cd66a080b18fb6c2ec278d8dede7ccf6

SHA256
4b1db4d67fc7f19b89647f26331bea8d2ba78b39efd9a58e7ddb33e4579d3730

SHA512
749d1cd52b719de1ac9f19a5a3b62c1bac98760808fdd25f5d4a4be7412d0ba6062c2ad736a550167ac9ead7dc729129c8eff3b31d3321f33408bb3cdf066be9

Download Submit
C:\Users\Admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exe

Filesize
2.7MB

MD5
65b1f62ed862801391998f2452a310da

SHA1
32ea39d76f7feb52818a54fb3f6283890cbfca74

SHA256
4a552fa623efa3975b49e054451f1e5c259faeb475054d67e0c24559caa13526

SHA512
a2e01d5e9441d3f36c5e354ab3efaef91754a8d4eb1090693e0472c706d696fbbadcde50a439a59c701b037a963a94845565ffee84c957a94f6e338d96f8fd2e

Download Submit
C:\Users\Admin\AppData\Roaming\selfdelete.bat

Filesize
315B

MD5
664cc6714496faccfd5a4e65f6c9e289

SHA1
ef39851ecd291f4cdd9a7f414be02290432f140f

SHA256
6d57a55ead3624eda1da198f6993c271622259cc66eee183e4118e49d127a285

SHA512
a2a46f805bf0f15b53a8a57bee5b8ae25d4981856cff009b7f7a000ad534a6579ed2e89b18370c5385c2ebaea95d904c67d2bd57d28dafeac5d57bb96dfe0ab5

Download Submit
C:\Users\Admin\AppData\Roaming\seop.exe

Filesize
23KB

MD5
3ab9a19ea7ed2d9297cd999810745940

SHA1
1b4578f00276f0d38c1b4557883bf227a47e2d0b

SHA256
ba022e06ab50230b7909a09c7288d7f88d3b28aaf3d6ebed722bbd5358919d97

SHA512
0a8fc1a254f14a0412807e6a3a7b5e17a23787b966da3cbe26add0108c8ca24677cda0a021ffc0063e8cdec177cf52aadf10fef4901c35fe08c443c806b5f6a1

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe

Filesize
2.2MB

MD5
9fbe0c531ffc2d9baae44ed976cb6110

SHA1
9d779b54b501ae264308cb3cfd356b5c56a9125a

SHA256
0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b

SHA512
453105ecd423147751f00d19d9587a0f339fbea957820d84839ff760f160db7f3b1f3191e86d19ec41b5ffd945eb7bae949ab01549dd5400733dc35889346215

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0c30ceffe341c698817521cdc7fbf5260a1a71506e0b5fe15b5d0456129784ba.exe

Filesize
494KB

MD5
e19bd3e6c45fd7b108b89b2b47af5795

SHA1
d8f06c46d129dd57fe3ea076b5be81765c825ff6

SHA256
0c30ceffe341c698817521cdc7fbf5260a1a71506e0b5fe15b5d0456129784ba

SHA512
dabfab1f5d54dc14ae2bd001b0efd0a518f93128318a83e6818b2d4ba1169f51c55c4d36117452e50f319dcb9d7560b8b47b749224eca0deef553d1e8d6df5b7

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558.exe

Filesize
1.3MB

MD5
d9e3e0e5851e6f2180a0332076bfa68c

SHA1
f5d86e68252f7be091dc17d4bb2540cbb1d6e5c9

SHA256
3fb92ace563962db2ba21323fd6a1f120ad9927c270035ba44a8bb0b1d9f3558

SHA512
5e2600897f6b8badfe588e3a7fab7977dede2fb8477b03309ab2874776ab045520fb00d8c1d585b3609934bd9b86f7eb765d5e74990499ca07beec0d769bc021

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28.exe

Filesize
778KB

MD5
ee6d0d1daa46cd4e30aca7a7aef2d278

SHA1
7138cfb1a5baaa7652cc8b91dd01b2c3c88b927b

SHA256
45b2b2ef31111765611f80bd5eb641325eb53f463a2536b46119cec3cd1a3d28

SHA512
f9d7f1cc262110c30a45c10ba37a5265ec4d1c2bc651dd5db0de11f8cf9798108710cdc0f03ec1e60b1d87230f78899bac7eb1debafb347af8985bc28661e2c8

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-496c4ad737388082211f603dbaf76d3a2d62a8ae89756111bba485f06e2ae32b.exe

Filesize
818KB

MD5
69ca9487cd81e5d0d1061dec40d8c625

SHA1
ffbfa8a3d62c10ede2bfdce3de45fdd9e258d8b8

SHA256
496c4ad737388082211f603dbaf76d3a2d62a8ae89756111bba485f06e2ae32b

SHA512
94fc1d6105cffffc46d81e0a3a278a984df2e403dffeab5854c0a7eed9ae661e4b9c3098b06724b6b60c72fe4aa25d71b4be9dd25e7ddb931c5c476035e2d5a6

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-666ad19d894f1962b6b8b4893a9d88ae6e95a7f7f19c596b784bfca4a4b1b948.exe

Filesize
505KB

MD5
a8e0f06d54e78abe7105c351a419cbc5

SHA1
f00598b3d58a0f00786e8449ff806450e892cac6

SHA256
666ad19d894f1962b6b8b4893a9d88ae6e95a7f7f19c596b784bfca4a4b1b948

SHA512
026c5101e23f8b17fbcec4c72e91a42827236bcaf1d6f26e34d77edcc04ab2dbaf46a2c640e4a2aad22abe5a833182690d98a35452a0e64bdbe087254b0e499f

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-67152254088a7f5078b66dc6b0361f1a17f6491d471f2b8a0eba2ff7b75b213e.exe

Filesize
12.0MB

MD5
52d0aae8eaa8da3f72f20d596891f9a3

SHA1
685eec01346122104c3cd2772c1d2407992be0db

SHA256
67152254088a7f5078b66dc6b0361f1a17f6491d471f2b8a0eba2ff7b75b213e

SHA512
6c664a8b5582437ba9e08085179e580ee70a40b53c69b8ffdaec6b76b1b56797ab422a31c923288e822da969f05cf6f350f45cb40ab6acc62e1c9b5c125c4479

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-be57e92dab62d37d99cf735fd0d865cd4da2ecad19f181f24acd574f99da3515.exe

Filesize
626KB

MD5
642f3d821d47f15aefbbd744b1ec7991

SHA1
7a70cff057017c1b6c17ea08ccf7a16d6d4256a6

SHA256
be57e92dab62d37d99cf735fd0d865cd4da2ecad19f181f24acd574f99da3515

SHA512
f68760b1bcc126b16402b4bf65872951ebcf6e6e62e374ccb902db5c37022737d89c8c3b1dcaf7f16f22cf3a3b872e30c02f82a0b460136729c5d22589ffe086

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c14b1bd8f5c3d761cf492341a90bbc0933239761214e1badf00cf07c6636d3df.exe

Filesize
547KB

MD5
3f3fe73466923e3557db0bf0c5987b97

SHA1
03fe6eb7a1fded3b066bec671ad8465b843f225c

SHA256
c14b1bd8f5c3d761cf492341a90bbc0933239761214e1badf00cf07c6636d3df

SHA512
b673215fd0028fd603133c1f41848a60a0ae381fee443f661c4e85535e8f0287c26a210027e65c8e861d7237e56d2c47b442bafe889d17af68d72ada2c3c1ae8

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d69ae5cfa4a2c22a7a418c345089121dc582a2178313c17c0ae077bad87be2a5.exe

Filesize
1.5MB

MD5
f9e3266fe8cb083ef988c24c3937093a

SHA1
32514bbd4dff9a77a5d4f57e572aebb320150677

SHA256
d69ae5cfa4a2c22a7a418c345089121dc582a2178313c17c0ae077bad87be2a5

SHA512
26c5c1a35b75697111d091c20f968c02a85c7d0e8bb259697ad46904eeb6ea821d74b212bbd90b417566a5f57e2810b4bad16af9c61f57a64c637b3dd8c0ecfb

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-49f9b3d790fafaa873863bbc1e735064eb1b18f0cba749264619c69be3cd1a1c.exe

Filesize
1.8MB

MD5
2bfa0f0a4b038952b350be1cbdb1552e

SHA1
d277f9511a887260ff7d1f11027c7468f10e34e0

SHA256
49f9b3d790fafaa873863bbc1e735064eb1b18f0cba749264619c69be3cd1a1c

SHA512
787b934977efce88a46f7a74b2f7d8d6db49adb7d7203e6a342055dbd90ccb1db63ebcf34cc9bf5acb1598a7ce449eafdbee13cfc67b8d1aaaa6b22fdc03533b

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Cuba.gen-9795ca37e543c81b20cb71946b1ab8432bcdce82f2a48bfa3483ac17d1e84346.exe

Filesize
642KB

MD5
ee123b627aa6292971b8779974b80952

SHA1
bbcf44a82cd7a1439456f5b377759bd676aa16f8

SHA256
9795ca37e543c81b20cb71946b1ab8432bcdce82f2a48bfa3483ac17d1e84346

SHA512
5a7fa9b4a1bb89daa8c59647e2965f620a4c3cf08d952bda3e2744c18ea52ae39d35e90d1ea006cfdbab2f404a505c639032d0f69565a67628ac20ae55151d67

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-0b13cb4811cf7b0814edd206845689c9fb56a9ea6827ab445779a6b4ae96e45a.exe

Filesize
1.1MB

MD5
f2370651e5199b87f3b3f1573912a5ec

SHA1
545c414497596eadf8be5e7e4ea8af3c61302087

SHA256
0b13cb4811cf7b0814edd206845689c9fb56a9ea6827ab445779a6b4ae96e45a

SHA512
c84fb256eb4daca13009f98ab8d2e304889fa7b5aba5dd394af010b01896026508c09c2cebd264f6aa857e186c56932bbaeff17407dd3b97459a12b53ee746ab

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Generic-6bec396b35f057948bc8b468621955a80b3b14130f3147b02435713ae8067656.exe

Filesize
1.0MB

MD5
66868e55e668fe6c946b4027c3d92fe5

SHA1
8b38f67a450d7563a495a9d664057bc909c0d239

SHA256
6bec396b35f057948bc8b468621955a80b3b14130f3147b02435713ae8067656

SHA512
0c96ee2b65d6360d65bc0c022127a1181cded752cf0df9f0682f3e012b8fcd744dc0793af354019a98e912ad8b25ab75ec31a837db4d6cf9dc4f0fedae4f9bd7

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Generic-dae52d405c20aa48eeb273baa9d8055450c9fcf7e465b5e02c841722c763cf9d.exe

Filesize
3.3MB

MD5
8a988959ca6032ee68852e7bedd4b571

SHA1
63727b827388e56ac9109020e8a125722a041147

SHA256
dae52d405c20aa48eeb273baa9d8055450c9fcf7e465b5e02c841722c763cf9d

SHA512
53afa949f7ff5ce88a2133ed96ac1dfa5649ab0a847d64e64e83045e13356d45af3e3128f86a4e2e076b22568b973cf21dc7c056646599a29d0886022ee61740

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Generic-e44c11fa52cccf54dedba94afb4fd2fec9aafde8074e15f98a9bbf2bdbb71ca0.exe

Filesize
60KB

MD5
21472a485fe02d7c04fbd83889fb7c31

SHA1
480008de4a8ecdd68e655a5cd6c6959755dbe673

SHA256
e44c11fa52cccf54dedba94afb4fd2fec9aafde8074e15f98a9bbf2bdbb71ca0

SHA512
d7c64d531d04c44d6b8b6e000d20dacfa4fa5720edf3272b86845df7f480f047dc0522e180ab1201b28b69d0eb299ae9fa829d5d4ef86a5d84881c53d54af967

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan-Ransom.Win32.Stop.gen-15ea8f482fa4a5d5a4a99def4bfd3a4a5956f77749a1fd0cbdb8fd2d44fefa99.exe

Filesize
201KB

MD5
66e987d4175c27619165a99ea2ed004d

SHA1
861519c73adf4ed345fc9b27d025ccdb0ae1529a

SHA256
15ea8f482fa4a5d5a4a99def4bfd3a4a5956f77749a1fd0cbdb8fd2d44fefa99

SHA512
d073d0a825cde4843430c7fb08e9b75aceb52a8e5b2e951ad2d94094b3a7ce99e479eb910431477ac4e6c099befd6f48b8454e9cfde62b3f65c9ce2f5038fcbb

Download Submit
C:\Users\Admin\Desktop\00452\HEUR-Trojan.Win32.Crypt.gen-1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff.exe

Filesize
2.7MB

MD5
abfc37485ad217c9d6f352c66dae53d2

SHA1
f57f5562cb33f0dfaaae43d05684b12309c93fda

SHA256
1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff

SHA512
75f68929636cbe45c060f77748e9cb00bf94cf344c226c7f54582f66ea2f1d1690b80b65d263d0175e8373e9047532519419db0cd703bbcc31205ead948289ee

Download Submit
C:\Users\Admin\Desktop\00452\p‮‮oci.snas.exe

Filesize
13.2MB

MD5
21fb6e2b5835e0a3a62fd79dac806703

SHA1
ce331bfb344f56a868cc733259e18a45a272456b

SHA256
773c6c1df1660b9cfaf7f1a080703951b7ba711bba3f9f3186bc8700ffcc8800

SHA512
5b97c2150acdec40f5272d00ddc9ce31dfcba504df1b066026e8df5bd17d9e4d56a217deac44938bc3559fe5c8dab1fd6129f997a0668ed4c753f2a188cc8a91

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.givemenitro - Shortcut.lnk

Filesize
606B

MD5
94c005c83a59f07c4267bf5f89ac2b37

SHA1
8f0e108489f5a95c7c4d5cb894fc7eb1251a5954

SHA256
a3f2d35c050d33810c1f3b7be57838e5fd14bed1df8385a211f181a138bde9d2

SHA512
19f20f940b1d30d411101c3a287b3e541e3a68a65a60935e1bfa5eed9ead81404f7a3689123e5f9572fe5b081077bd4645bbd143ea9eedb2121f0031577d1c5c

Download Submit
C:\Users\Admin\Downloads\diagsvc.exe

Filesize
3.3MB

MD5
4ec3a97f1801d4591702bd5a12c919cf

SHA1
cbbc8b33aea1d425c122bf65cbd98550e5cec562

SHA256
e916791217660b1e2f4390e76377cd2456fc9098079b32c72891908d49601215

SHA512
b3eba66fec2f7883ec4cbde7af19f1410df9e11a45cd0aff32ae78aff4ff8f7b8f63eadc862141aa35b95938cf297d7bffa15fcdc3d5b65eb222f90091795c57

Download Submit
C:\Windows\System32\services32.exe

Filesize
96KB

MD5
a5d41c9f4862b776ca74902f3fd0b6de

SHA1
a0bfdb4b825c86b3641ea3309d6715d548aeb0c9

SHA256
fbf827c12cfda1aff1d89810b5d7ac583149571755f6f1aa61dc6c6f55a7bef3

SHA512
87a61aeaa9d1990343a2360cfceb96905be8fd9bafe1ef59260207e836adfe7c2c29244e93c690d8d9f7147c7e6e7470a666aca9b337a2fe3fb46a3697b79876

Download Submit
C:\Windows\System32\services64.exe

Filesize
7.7MB

MD5
533f228be45bc38899dda42f2a1185b7

SHA1
854ebeec6f1723aab9cc398ff37ee9aad7663f2c

SHA256
15ffa56644d3eeb57692a3ec8b1cfec705da14897d0f5dcf2b307becef89d7bd

SHA512
993e0a40396b8949b191611b6b3927baa4c2d3be07f42ade891b7502cdfce64d6d8cba691086cc2eb141f38d74ee37bc9fac1f7a199b3c1f8139bea394aa80d1

Download Submit
C:\Windows\System32\windows host.exe

Filesize
7.6MB

MD5
2cdec399512e36f9b63abef76931cc21

SHA1
dc82267fbf3b7412ee05520c2eaabdb8f6cba41f

SHA256
2f4c3243fdf425ca19e280aabd39271e0e072c13789b1f70a92a297aa0d32ee3

SHA512
338149d70b81bdd9a6e35670a55d3ccb6a9ffc7c81db75dbfd0cbe2a1f006e72e9d95da5d2c9cc8a881f3b6f9a11821b01a1eb4db1b69a228849d55af00c81d5

Download Submit
C:\Windows\Temp\4tbwniop.exe

Filesize
1.3MB

MD5
94af7730dbd6a9b7bcd4f4d9b6289e7e

SHA1
e62002195ac7c0712a0184771e51f5d8f6a1e1e2

SHA256
e8bb6e018f0a1a189e46453d7946711a0faf6fd88d59d199e7e16559f2dce25e

SHA512
8a448c9c66c0a7e9ceccd4a5b5dbac86124cb3482b160fdbd59fd1b53d6e77b405ff763505b143f466e8b369456cf9908ff4f5e1c8fb2447bef666f2161fb57a

Download Submit
C:\Windows\temp\o5ezh3ww.inf

Filesize
583B

MD5
4e7b746b8b5ea3ec6dec0935e5aa62be

SHA1
391a51090bd79041cefd4def401bae33273cbde0

SHA256
c5fca0373894d42d7fb8ec0e9653d8e6b2d90dbfef59ef8de45a5da213166415

SHA512
d879377ff9d1d5c3acfc774b828cc2ce247a9a899fa2e9dc547b7a2460fb9171c264384e7c4b4262540adaefc4ea84954f6d3f4f2c175ddb1d4ad6905274096a

Download Submit
\??\c:\users\admin\desktop\00452\heur-trojan.msil.crypt.gen-02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882.exe

Filesize
804KB

MD5
d9dcdf200cf6a269afcd6c84cc46ef27

SHA1
2d43602a3c0b8fe67129d1df6900424f8223c2e9

SHA256
02152fbca1bb66a6a3935948b436c7afdb00f64b114fd83b315291e94d3f2882

SHA512
227b685c1743548644d66e05857449763085773883a46f46ad76bba1201662a4240d6a7ae297d74f17be95575f27608eca665672ae6563cbbc7706bd7600344d

Download Submit
\??\c:\users\admin\desktop\00452\heur-trojan.msil.crypt.gen-04e479716eb43333c43bbdb25c221c487ba9bb73f291bf20817285e7363420bb.exe

Filesize
917KB

MD5
9767d6e99498f85d9f61e658f61872da

SHA1
39cdc58df39660e8c453bb03bd6b30c0312c46bc

SHA256
04e479716eb43333c43bbdb25c221c487ba9bb73f291bf20817285e7363420bb

SHA512
b1b462a9f3987fc85bf9c3c6b08e685de3b2c86171f8364227f0cdbce6afa8dccd7fd665f8157902388ee92f16854019f3409b10f2e76853ff61c2b5e5726136

Download Submit
memory/264-489-0x0000000000EF0000-0x0000000001070000-memory.dmp

Filesize
1.5MB

Download
memory/1016-1294-0x0000000007020000-0x0000000007096000-memory.dmp

Filesize
472KB

Download
memory/1016-1330-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1304-0x00000000072C0000-0x0000000007320000-memory.dmp

Filesize
384KB

Download
memory/1016-1305-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1326-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1306-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1308-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-239-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/1016-1312-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1314-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-234-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/1016-1316-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-231-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/1016-1310-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-229-0x00000000007C0000-0x0000000000840000-memory.dmp

Filesize
512KB

Download
memory/1016-1318-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1293-0x0000000006300000-0x0000000006356000-memory.dmp

Filesize
344KB

Download
memory/1016-1320-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1322-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1324-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1016-1328-0x00000000072C0000-0x0000000007319000-memory.dmp

Filesize
356KB

Download
memory/1332-295-0x00000000002A0000-0x0000000000324000-memory.dmp

Filesize
528KB

Download
memory/1780-1023-0x00000000002D0000-0x00000000006AF000-memory.dmp

Filesize
3.9MB

Download
memory/1780-1234-0x00000000002D0000-0x00000000006AF000-memory.dmp

Filesize
3.9MB

Download
memory/1780-5091-0x00000000002D0000-0x00000000006AF000-memory.dmp

Filesize
3.9MB

Download
memory/2204-300-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2204-308-0x0000000000A60000-0x0000000000A66000-memory.dmp

Filesize
24KB

Download
memory/2520-5155-0x0000000000400000-0x00000000007C0000-memory.dmp

Filesize
3.8MB

Download
memory/2520-669-0x0000000000400000-0x00000000007C0000-memory.dmp

Filesize
3.8MB

Download
memory/2520-456-0x0000000000400000-0x00000000007C0000-memory.dmp

Filesize
3.8MB

Download
memory/2552-204-0x00000225E4BC0000-0x00000225E4BE2000-memory.dmp

Filesize
136KB

Download
memory/2552-209-0x00000225E4C60000-0x00000225E4CA4000-memory.dmp

Filesize
272KB

Download
memory/2552-210-0x00000225E7210000-0x00000225E7286000-memory.dmp

Filesize
472KB

Download
memory/2552-212-0x00000225E4CB0000-0x00000225E4CCE000-memory.dmp

Filesize
120KB

Download
memory/2732-485-0x0000000000E30000-0x0000000000EBA000-memory.dmp

Filesize
552KB

Download
memory/2848-830-0x0000000004F10000-0x0000000004F28000-memory.dmp

Filesize
96KB

Download
memory/2848-569-0x0000000000600000-0x000000000063C000-memory.dmp

Filesize
240KB

Download
memory/2848-5482-0x0000000004990000-0x00000000049E0000-memory.dmp

Filesize
320KB

Download
memory/2980-5325-0x0000000000C10000-0x0000000000C2A000-memory.dmp

Filesize
104KB

Download
memory/3284-363-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/3284-362-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/3284-361-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/3408-444-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/3408-513-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/3408-586-0x0000000007520000-0x00000000075B6000-memory.dmp

Filesize
600KB

Download
memory/3408-514-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

Filesize
304KB

Download
memory/3408-443-0x0000000005CD0000-0x0000000005CF2000-memory.dmp

Filesize
136KB

Download
memory/3408-365-0x0000000002C30000-0x0000000002C66000-memory.dmp

Filesize
216KB

Download
memory/3408-371-0x00000000056A0000-0x0000000005CC8000-memory.dmp

Filesize
6.2MB

Download
memory/3408-457-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/3408-756-0x00000000087C0000-0x0000000008E3A000-memory.dmp

Filesize
6.5MB

Download
memory/3408-445-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/3408-587-0x00000000069A0000-0x00000000069BA000-memory.dmp

Filesize
104KB

Download
memory/3688-225-0x0000000000D50000-0x0000000000E9A000-memory.dmp

Filesize
1.3MB

Download
memory/3900-493-0x0000000009CD0000-0x0000000009CD6000-memory.dmp

Filesize
24KB

Download
memory/3900-483-0x0000000006E90000-0x0000000006EB8000-memory.dmp

Filesize
160KB

Download
memory/3900-238-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/3900-492-0x00000000071A0000-0x00000000071B4000-memory.dmp

Filesize
80KB

Download
memory/3900-237-0x0000000000ED0000-0x0000000000F98000-memory.dmp

Filesize
800KB

Download
memory/3900-484-0x0000000006F10000-0x0000000006F32000-memory.dmp

Filesize
136KB

Download
memory/4184-5206-0x0000000005790000-0x00000000057E6000-memory.dmp

Filesize
344KB

Download
memory/4184-5205-0x0000000000B30000-0x0000000000B9C000-memory.dmp

Filesize
432KB

Download
memory/4336-482-0x0000000000730000-0x0000000000A14000-memory.dmp

Filesize
2.9MB

Download
memory/4336-551-0x0000000005470000-0x000000000548E000-memory.dmp

Filesize
120KB

Download
memory/4336-536-0x0000000005350000-0x00000000053E6000-memory.dmp

Filesize
600KB

Download
memory/4336-564-0x0000000005A80000-0x0000000005A8C000-memory.dmp

Filesize
48KB

Download
memory/4336-552-0x00000000057D0000-0x00000000057E6000-memory.dmp

Filesize
88KB

Download
memory/4512-5219-0x0000000000D80000-0x0000000000EB6000-memory.dmp

Filesize
1.2MB

Download
memory/4512-5263-0x0000000005C40000-0x0000000005C48000-memory.dmp

Filesize
32KB

Download
memory/4512-5495-0x0000000008930000-0x00000000089D8000-memory.dmp

Filesize
672KB

Download
memory/4524-5292-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4524-381-0x0000000000F10000-0x0000000000FB4000-memory.dmp

Filesize
656KB

Download
memory/4656-182-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-178-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-172-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-170-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-181-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-180-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-177-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-176-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-171-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4656-179-0x0000016303FF0000-0x0000016303FF1000-memory.dmp

Filesize
4KB

Download
memory/4756-388-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/5008-291-0x0000000000430000-0x0000000000502000-memory.dmp

Filesize
840KB

Download
memory/5008-2948-0x0000000006FF0000-0x000000000705C000-memory.dmp

Filesize
432KB

Download
memory/5008-2935-0x0000000006060000-0x00000000060E0000-memory.dmp

Filesize
512KB

Download
memory/5344-5145-0x0000000000A00000-0x0000000002784000-memory.dmp

Filesize
29.5MB

Download
memory/5396-517-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5396-800-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/5736-5301-0x0000000000930000-0x0000000000A12000-memory.dmp

Filesize
904KB

Download
memory/5776-583-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/5776-589-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5776-590-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5776-591-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5776-613-0x0000000075D50000-0x0000000075E40000-memory.dmp

Filesize
960KB

Download
memory/5776-614-0x00000000768B0000-0x0000000076A50000-memory.dmp

Filesize
1.6MB

Download
memory/5776-615-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/5844-5162-0x0000000000C50000-0x0000000000E40000-memory.dmp

Filesize
1.9MB

Download
memory/5868-5203-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/5868-5204-0x0000000001200000-0x0000000001206000-memory.dmp

Filesize
24KB

Download
memory/5912-5468-0x0000000000120000-0x0000000000218000-memory.dmp

Filesize
992KB

Download
memory/6012-5039-0x00000000001F0000-0x00000000002BC000-memory.dmp

Filesize
816KB

Download
memory/6136-4900-0x0000000000E60000-0x0000000000F3A000-memory.dmp

Filesize
872KB

Download
memory/8352-829-0x0000000000030000-0x000000000038A000-memory.dmp

Filesize
3.4MB

Download
memory/8592-5417-0x000000001C710000-0x000000001CAA6000-memory.dmp

Filesize
3.6MB

Download
memory/8592-5304-0x0000000000B20000-0x000000000185C000-memory.dmp

Filesize
13.2MB

Download
memory/8592-5309-0x0000000001F00000-0x0000000001F06000-memory.dmp

Filesize
24KB

Download
memory/8804-5262-0x000000001B940000-0x000000001BC02000-memory.dmp

Filesize
2.8MB

Download
memory/8804-5267-0x000000001BC00000-0x000000001BDC8000-memory.dmp

Filesize
1.8MB

Download
memory/8804-5284-0x000000001BFD0000-0x000000001C078000-memory.dmp

Filesize
672KB

Download
memory/8804-5234-0x000000001B3D0000-0x000000001B63A000-memory.dmp

Filesize
2.4MB

Download
memory/8804-5229-0x0000000000490000-0x000000000084E000-memory.dmp

Filesize
3.7MB

Download
memory/8896-900-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/9016-5484-0x0000000000CD0000-0x0000000000D92000-memory.dmp

Filesize
776KB

Download
memory/9688-1038-0x00000000005B0000-0x000000000067E000-memory.dmp

Filesize
824KB

Download
memory/9996-5493-0x0000000000830000-0x00000000008F8000-memory.dmp

Filesize
800KB

Download
memory/10028-5183-0x00000000003D0000-0x00000000004B4000-memory.dmp

Filesize
912KB

Download
memory/10656-1244-0x0000000000770000-0x000000000083E000-memory.dmp

Filesize
824KB

Download
memory/11056-5241-0x0000000000920000-0x0000000000944000-memory.dmp

Filesize
144KB

Download
memory/11056-5264-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/11316-1178-0x0000000076530000-0x00000000765A5000-memory.dmp

Filesize
468KB

Download
memory/11680-5332-0x00000000000C0000-0x0000000000190000-memory.dmp

Filesize
832KB

Download
memory/12180-1288-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/12180-1289-0x000000006B000000-0x000000006B0E9000-memory.dmp

Filesize
932KB

Download
memory/12180-1290-0x000000006ADE0000-0x000000006AFFA000-memory.dmp

Filesize
2.1MB

Download
memory/12180-1291-0x000000006AD70000-0x000000006ADD5000-memory.dmp

Filesize
404KB

Download
memory/12208-5106-0x0000000000C00000-0x0000000000DAC000-memory.dmp

Filesize
1.7MB

Download
memory/12492-5413-0x0000000002FC0000-0x0000000002FCC000-memory.dmp

Filesize
48KB

Download
memory/12492-5409-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/12984-5130-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/12984-5125-0x00000000002E0000-0x000000000038C000-memory.dmp

Filesize
688KB

Download
memory/13184-5078-0x0000000000880000-0x000000000095E000-memory.dmp

Filesize
888KB

Download