azorult | 84b6a47228a3cc2d960f96975807f1424f24efd34140bcee4978c544112e1b14

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\gjfkmqrl\\opwwatbc.exe"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\gjfkmqrl\\opwwatbc.exe"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Modifies firewall policy service 3 TTPs 3 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Modifies security service 2 TTPs 4 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Contacts a large (7704) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2652-6634-0x0000000003240000-0x000000000326F000-memory.dmp	Nirsoft

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2652-6634-0x0000000003240000-0x000000000326F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2652-6634-0x0000000003240000-0x000000000326F000-memory.dmp	WebBrowserPassView

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000001927a-75.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\opwwatbc.exe	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\opwwatbc.exe	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe

Executes dropped EXE 43 IoCs

pid	Process
2888	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
1808	HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
2024	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe
2804	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
1208	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
2860	HEUR-Trojan-Ransom.Win32.Encoder.gen-7b392d62c0cf66f0cdb494c3e9ab8d0d4dda654fab1628d45c510201124d2118.exe
2952	Trojan-Ransom.Win32.Blocker.lcym-299f0c0eb83c24099d59635974b4e26447695ff4dfc43a5d635eb548963e8eb2.exe
1796	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
2652	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
2392	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
2104	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
2268	Trojan-Ransom.Win32.Foreign.nysp-1540e3fdbc52ad3de631bf66af69bff0e88c38981a06a74ecab16a2a739e7111.exe
2120	Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
940	Trojan-Ransom.Win32.Gen.djd-201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
1952	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
3052	Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe
1084	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
1344	Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
2944	Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
2236	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
1240	Trojan-Ransom.Win32.Crypmod.absj-d531ab589af63660210359ee898d845cb79d6799c70882932d9f191b2e322f66.exe
2108	Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
2052	Trojan-Ransom.Win32.Foreign.zhs-b97827f56e5d80a8ea6d929cbd85c29a45f3fb7ed2da237c819535229ea91f91.exe
416	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
2740	VHO-Trojan-Ransom.Win32.CryFile.gen-9a78b34c50b14d1da2e250fa837fb3afeb767d1fd0e2708dde3dc597fe225456.exe
2176	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
1900	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
3044	Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
1636	Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
904	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
1768	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
1932	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
1576	nvc32.exe
3952	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
1400	sonickey.exe
3100	Rj3fNWF3.exe
2364	sonickey.exe
3728	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
2752	Rj3fNWF3.exe
2584	Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
1252	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
3216	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe

Loads dropped DLL 9 IoCs

pid	Process
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
2860	HEUR-Trojan-Ransom.Win32.Encoder.gen-7b392d62c0cf66f0cdb494c3e9ab8d0d4dda654fab1628d45c510201124d2118.exe
1084	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
2392	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
2392	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
1952	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
1952	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
1952	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
3044	Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe = "C:\\Windows\\System32\\Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe"	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OpwWatbc = "C:\\Users\\Admin\\AppData\\Local\\gjfkmqrl\\opwwatbc.exe"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom = "C:\\Users\\Admin\\Desktop\\00362\\Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe"	Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krhpgjfsjhn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\kpqgiy.exe\""	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Keylogger = "C:\\Users\\Admin\\AppData\\Local\\nvc32.exe"	nvc32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\H:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\T:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\A:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\B:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\G:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\Z:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\E:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\O:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\V:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\X:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\K:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\R:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\U:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\W:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\S:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\M:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\P:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\J:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\L:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\N:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\Q:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\Y:	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
3452	verclsid.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened for modification	C:\AUTORUN.INF	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	F:\AUTORUN.INF	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	\??\c:\AUTORUN.INF	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
File opened for modification	\??\c:\AUTORUN.INF	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
File created	C:\Windows\SysWOW64\shell.exe	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
File created	C:\Windows\SysWOW64\Mig2.scr	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
File created	C:\Windows\System32\Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2024	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 316 set thread context of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 1900 set thread context of 1932	1900	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe	72
PID 1084 set thread context of 3728	1084	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe	86
PID 416 set thread context of 1252	416	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe	92

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-170-0x000000000FE40000-0x000000000FE5B000-memory.dmp	upx
behavioral1/memory/2108-168-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral1/memory/1344-188-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1344-186-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1344-185-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1344-184-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1344-183-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/files/0x0005000000019535-163.dat	upx
behavioral1/files/0x00050000000193dc-154.dat	upx
behavioral1/files/0x000500000001a447-465.dat	upx
behavioral1/memory/1344-546-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1932-568-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral1/memory/1932-567-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral1/memory/1932-566-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral1/memory/2652-91-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2652-1293-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2108-1373-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral1/memory/1636-1709-0x0000000000400000-0x0000000000614000-memory.dmp	upx
behavioral1/memory/3728-1711-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3728-1713-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3728-1714-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3728-1712-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3728-1717-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3728-3150-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4972-5102-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2652-7547-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\PREVIEW.GIF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00171_.GIF	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00390_.WMF	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01167_.WMF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF.id-621036A5.[[email protected]].combo	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
File created	C:\Windows\xk.exe	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3984	2104	WerFault.exe	49
5092	2740	WerFault.exe	65
4536	1808	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sonickey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rj3fNWF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-7b392d62c0cf66f0cdb494c3e9ab8d0d4dda654fab1628d45c510201124d2118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nysp-1540e3fdbc52ad3de631bf66af69bff0e88c38981a06a74ecab16a2a739e7111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.lcym-299f0c0eb83c24099d59635974b4e26447695ff4dfc43a5d635eb548963e8eb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.CryFile.gen-9a78b34c50b14d1da2e250fa837fb3afeb767d1fd0e2708dde3dc597fe225456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rj3fNWF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Gen.djd-201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sonickey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypmod.absj-d531ab589af63660210359ee898d845cb79d6799c70882932d9f191b2e322f66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019508-106.dat	nsis_installer_1
behavioral1/files/0x0005000000019508-106.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3976	vssadmin.exe

Modifies Control Panel 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\00362\,-\0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™Š›ŒŽŸ ¡¢£¤¥¦§¨©ª«¬®¯‰	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
File opened for modification	C:\Users\Admin\Desktop\00362\,-\0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™Š›ŒŽŸ ¡¢£¤¥¦§¨©ª«¬®¯‰	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
File opened for modification	C:\Users\Admin\Desktop\00362\,-\0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™Š›ŒŽŸ ¡¢£¤¥¦§¨©ª«¬®¯‰	Rj3fNWF3.exe
File opened for modification	C:\Users\Admin\Desktop\00362\,-\0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{\|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™Š›ŒŽŸ ¡¢£¤¥¦§¨©ª«¬®¯‰	Rj3fNWF3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3468	schtasks.exe
2284	schtasks.exe
3356	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2392	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
1576	nvc32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 30 IoCs

pid	Process
2888	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
1808	HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
2024	HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe
2804	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
2860	HEUR-Trojan-Ransom.Win32.Encoder.gen-7b392d62c0cf66f0cdb494c3e9ab8d0d4dda654fab1628d45c510201124d2118.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
1796	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
2652	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
2952	Trojan-Ransom.Win32.Blocker.lcym-299f0c0eb83c24099d59635974b4e26447695ff4dfc43a5d635eb548963e8eb2.exe
2944	Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
2392	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
2236	Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
2104	Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
1240	Trojan-Ransom.Win32.Crypmod.absj-d531ab589af63660210359ee898d845cb79d6799c70882932d9f191b2e322f66.exe
2268	Trojan-Ransom.Win32.Foreign.nysp-1540e3fdbc52ad3de631bf66af69bff0e88c38981a06a74ecab16a2a739e7111.exe
2108	Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
2120	Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
2052	Trojan-Ransom.Win32.Foreign.zhs-b97827f56e5d80a8ea6d929cbd85c29a45f3fb7ed2da237c819535229ea91f91.exe
940	Trojan-Ransom.Win32.Gen.djd-201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
416	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
1952	Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
1900	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
3052	Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe
3044	Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
1084	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
1636	Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
1344	Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
2740	VHO-Trojan-Ransom.Win32.CryFile.gen-9a78b34c50b14d1da2e250fa837fb3afeb767d1fd0e2708dde3dc597fe225456.exe
1768	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
2176	VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1084	Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	1236	7zFM.exe
Token: 35	1236	7zFM.exe
Token: SeSecurityPrivilege	1236	7zFM.exe
Token: SeDebugPrivilege	2672	taskmgr.exe
Token: SeSecurityPrivilege	1932	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Token: SeRestorePrivilege	1932	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Token: SeBackupPrivilege	1932	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Token: SeShutdownPrivilege	1932	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
Token: SeDebugPrivilege	1808	HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
Token: 33	1808	HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
Token: SeIncBasePriorityPrivilege	1808	HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
Token: SeDebugPrivilege	2888	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
Token: 33	2888	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
Token: SeIncBasePriorityPrivilege	2888	HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1236	7zFM.exe
1236	7zFM.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2108	Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
2108	Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe
2672	taskmgr.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2652	Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
416	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
2944	Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
2392	Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
2120	Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
1636	Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
1636	Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
1636	Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
1576	nvc32.exe
1576	nvc32.exe
1576	nvc32.exe
416	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
3216	Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
2804	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
1344	Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
904	HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
1400	sonickey.exe
2364	sonickey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2888	2308	cmd.exe	36
PID 2308 wrote to memory of 2888	2308	cmd.exe	36
PID 2308 wrote to memory of 2888	2308	cmd.exe	36
PID 2308 wrote to memory of 2888	2308	cmd.exe	36
PID 2308 wrote to memory of 1808	2308	cmd.exe	37
PID 2308 wrote to memory of 1808	2308	cmd.exe	37
PID 2308 wrote to memory of 1808	2308	cmd.exe	37
PID 2308 wrote to memory of 1808	2308	cmd.exe	37
PID 2308 wrote to memory of 2024	2308	cmd.exe	38
PID 2308 wrote to memory of 2024	2308	cmd.exe	38
PID 2308 wrote to memory of 2024	2308	cmd.exe	38
PID 2308 wrote to memory of 2024	2308	cmd.exe	38
PID 2308 wrote to memory of 2804	2308	cmd.exe	39
PID 2308 wrote to memory of 2804	2308	cmd.exe	39
PID 2308 wrote to memory of 2804	2308	cmd.exe	39
PID 2308 wrote to memory of 2804	2308	cmd.exe	39
PID 2308 wrote to memory of 2860	2308	cmd.exe	40
PID 2308 wrote to memory of 2860	2308	cmd.exe	40
PID 2308 wrote to memory of 2860	2308	cmd.exe	40
PID 2308 wrote to memory of 2860	2308	cmd.exe	40
PID 2308 wrote to memory of 316	2308	cmd.exe	41
PID 2308 wrote to memory of 316	2308	cmd.exe	41
PID 2308 wrote to memory of 316	2308	cmd.exe	41
PID 2308 wrote to memory of 316	2308	cmd.exe	41
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 316 wrote to memory of 1208	316	HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe	43
PID 2308 wrote to memory of 1796	2308	cmd.exe	42
PID 2308 wrote to memory of 1796	2308	cmd.exe	42
PID 2308 wrote to memory of 1796	2308	cmd.exe	42
PID 2308 wrote to memory of 1796	2308	cmd.exe	42
PID 2308 wrote to memory of 2652	2308	cmd.exe	44
PID 2308 wrote to memory of 2652	2308	cmd.exe	44
PID 2308 wrote to memory of 2652	2308	cmd.exe	44
PID 2308 wrote to memory of 2652	2308	cmd.exe	44
PID 2308 wrote to memory of 2952	2308	cmd.exe	45
PID 2308 wrote to memory of 2952	2308	cmd.exe	45
PID 2308 wrote to memory of 2952	2308	cmd.exe	45
PID 2308 wrote to memory of 2952	2308	cmd.exe	45
PID 2308 wrote to memory of 2944	2308	cmd.exe	46
PID 2308 wrote to memory of 2944	2308	cmd.exe	46
PID 2308 wrote to memory of 2944	2308	cmd.exe	46
PID 2308 wrote to memory of 2944	2308	cmd.exe	46
PID 2308 wrote to memory of 2392	2308	cmd.exe	47
PID 2308 wrote to memory of 2392	2308	cmd.exe	47
PID 2308 wrote to memory of 2392	2308	cmd.exe	47
PID 2308 wrote to memory of 2392	2308	cmd.exe	47
PID 2308 wrote to memory of 2236	2308	cmd.exe	48
PID 2308 wrote to memory of 2236	2308	cmd.exe	48
PID 2308 wrote to memory of 2236	2308	cmd.exe	48
PID 2308 wrote to memory of 2236	2308	cmd.exe	48
PID 2308 wrote to memory of 2104	2308	cmd.exe	49
PID 2308 wrote to memory of 2104	2308	cmd.exe	49
PID 2308 wrote to memory of 2104	2308	cmd.exe	49
PID 2308 wrote to memory of 2104	2308	cmd.exe	49
PID 2308 wrote to memory of 1240	2308	cmd.exe	50
PID 2308 wrote to memory of 1240	2308	cmd.exe	50

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00362.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
  HEUR-Trojan-Ransom.MSIL.Blocker.gen-7120648f241608d4b044725605e17a7cb5212b365e025cb22ec64fc354cbac69.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
  HEUR-Trojan-Ransom.MSIL.Crusis.gen-8f6d43123d4775accaefec86fe48ee3eadefc6b7d6f4cc8e9b1457f11a18f3fd.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 512
    3⤵
    - Program crash
    PID:4536
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe
  HEUR-Trojan-Ransom.Win32.Crusis.gen-1b6e0745f55770f15cef6ba784b277927aee768c1002197cbaae0251c4817b4e.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2024
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
  HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:2804
- - C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.Crypmodadv.gen-320507782c731aef5234987ec1b14d78515ebe8bbe415da98c1232a10cc0c8e0.exe
    --df59484e
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    PID:904
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.Encoder.gen-7b392d62c0cf66f0cdb494c3e9ab8d0d4dda654fab1628d45c510201124d2118.exe
  HEUR-Trojan-Ransom.Win32.Encoder.gen-7b392d62c0cf66f0cdb494c3e9ab8d0d4dda654fab1628d45c510201124d2118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2860
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
  HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
    HEUR-Trojan-Ransom.Win32.Generic-ccdc254a5f222da48a874d90c02ed1b78d9100d15a9d75978adfa839648de845.exe
    3⤵
    - Executes dropped EXE
    PID:1208
- C:\Users\Admin\Desktop\00362\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
  HEUR-Trojan-Ransom.Win32.PolyRansom.gen-fc48846e615556b8f8dd2a4ea242d906de9a7cb244ae074abcb9956888071651.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1796
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
  Trojan-Ransom.Win32.Blocker.kpuo-ffa0baef91cf6a1b9497d04d85b655bef807bebe804003bf7c2cafada4329bac.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2652
- - C:\Windows\xk.exe
    C:\Windows\xk.exe
    3⤵
    PID:4972
- - C:\Windows\xk.exe
    C:\Windows\xk.exe
    3⤵
    PID:1828
- - C:\Windows\xk.exe
    C:\Windows\xk.exe
    3⤵
    PID:760
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Blocker.lcym-299f0c0eb83c24099d59635974b4e26447695ff4dfc43a5d635eb548963e8eb2.exe
  Trojan-Ransom.Win32.Blocker.lcym-299f0c0eb83c24099d59635974b4e26447695ff4dfc43a5d635eb548963e8eb2.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2952
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
  Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2944
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
    rojan-Ransom.Win32.Blocker.ljpe-73fece16bccb22d72e1e27aedabdc2f8168bea1f88b3d24406aecde8caed7400.exe
    3⤵
    PID:4960
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
  Trojan-Ransom.Win32.Blocker.lyyb-24713dba676eb17446c32c41c02f1c2df0c7c0c141a10129ccfef3e83e939a44.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2392
- - C:\Users\Admin\AppData\Local\nvc32.exe
    C:\Users\Admin\AppData\Local\nvc32.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1576
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
  Trojan-Ransom.Win32.Crusis.to-253b606a1df715d763023be86ba061e79b17202a4f6c3387b66905f7661210cc.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2236
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1944
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:3504
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3976
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
  Trojan-Ransom.Win32.Crypmod.abce-57e84da4e957456c4e8175890ede206164cf6dfd3294e43881a9c8a85e582dd1.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 188
    3⤵
    - Program crash
    PID:3984
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Crypmod.absj-d531ab589af63660210359ee898d845cb79d6799c70882932d9f191b2e322f66.exe
  Trojan-Ransom.Win32.Crypmod.absj-d531ab589af63660210359ee898d845cb79d6799c70882932d9f191b2e322f66.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1240
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bz.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Foreign.nysp-1540e3fdbc52ad3de631bf66af69bff0e88c38981a06a74ecab16a2a739e7111.exe
  Trojan-Ransom.Win32.Foreign.nysp-1540e3fdbc52ad3de631bf66af69bff0e88c38981a06a74ecab16a2a739e7111.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2268
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
  Trojan-Ransom.Win32.Foreign.nzem-ee4c1750d4e4c543abaa722410e2f3bfb0bdf2bd5b567cd66f36a92ef8e98d72.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of FindShellTrayWindow
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\10F2\879.bat" "C:\Users\Admin\AppData\Roaming\cryppast\dpnadPnp.exe" "C:\Users\Admin\Desktop\00362\TR5AFE~1.EXE""
    3⤵
    PID:4944
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
  Trojan-Ransom.Win32.Foreign.nzsj-3bd623f8c86656ff0e228b650e1a4530954ff4ee787ff59d0f05fa338381695b.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd73fe55db.bat"
    3⤵
    PID:2868
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Foreign.zhs-b97827f56e5d80a8ea6d929cbd85c29a45f3fb7ed2da237c819535229ea91f91.exe
  Trojan-Ransom.Win32.Foreign.zhs-b97827f56e5d80a8ea6d929cbd85c29a45f3fb7ed2da237c819535229ea91f91.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2052
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Gen.djd-201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
  Trojan-Ransom.Win32.Gen.djd-201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /xml "C:\Users\Admin\Desktop\00362\1.xml" /tn "Microsoft Update Scheduler" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c 157641730997849.bat
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:4776
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
  Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    PID:3732
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
    Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1252
  - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
      "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        
        PID:4568
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:236
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2900
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5272
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5292
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5300
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3544
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3196
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1004
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5016
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4768
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4984
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4092
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2964
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5104
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3572
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5700
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3772
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4836
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4584
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:544
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4468
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5028
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3328
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5424
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5456
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5464
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5480
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5528
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5336
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3472
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5140
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5204
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4736
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:160
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6060
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1744
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5860
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5776
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5720
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3552
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4292
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4012
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4440
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2112
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:664
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4920
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4832
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5452
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1632
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5384
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5412
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5300
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5284
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:164
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4056
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5512
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5280
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1224
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2760
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:996
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1664
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5552
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6052
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5972
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3664
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2584
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5004
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4788
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2924
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2560
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2668
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3404
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5752
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2776
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4548
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4288
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4068
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4840
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6024
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4000
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3700
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3780
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5716
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3348
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3752
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2944
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4744
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5092
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4004
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2116
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5324
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5260
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5560
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5536
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5188
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4256
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4896
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4556
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6116
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1744
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3488
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5956
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5924
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6028
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4688
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:896
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2040
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3572
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4580
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5736
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3556
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1884
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4312
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4416
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4324
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4452
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4740
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4604
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4484
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2124
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3152
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1264
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5256
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4192
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3236
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4060
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3564
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4780
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5544
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2760
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5124
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6116
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4792
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2676
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2732
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5132
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5908
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2560
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5228
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4288
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3616
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1652
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3536
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3136
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5780
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5612
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2828
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2756
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2932
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6048
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4136
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3420
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4860
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2164
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2440
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3204
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5360
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5216
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6076
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5728
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5644
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4160
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2732
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5172
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3640
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6084
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4092
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3792
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5032
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5340
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3904
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3052
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:1060
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4916
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5768
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5888
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5248
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2368
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2300
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6072
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4428
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2640
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4824
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:940
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2632
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3472
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5352
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6052
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:4064
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5264
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5192
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5140
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5204
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6060
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:3452
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:660
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:6036
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:2680
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5104
    - - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe
        
        "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.ahg-ea5a47ff2ae0b0922b70f25944b690e95267fc83043279be2ea895b5cab5410d.exe" g
        5⤵
        
        PID:5976
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
  Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1952
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe
    "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.dfk-fa03a5919f885e26b3147cae493f7981614b83edaca30a11315219d7127bb96b.exe" g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:3952
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3356
- - C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
    "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:3100
  - - C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
      "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"
    3⤵
    PID:4704
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
  Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1900
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
    Trojan-Ransom.Win32.SageCrypt.dqq-9b0682fd7846e7edd3bf6206adb76e94953f7af62243928449af563f95ab9339.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies firewall policy service
    - Modifies security service
    - UAC bypass
    - Windows security bypass
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1932
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe
  Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3052
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe
    "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.eqs-8eea329ef17e6b6d21c2b5e8b5f063a5c73e1116787b77bc034232071fe65391.exe" g
    3⤵
    PID:5344
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
  Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3044
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe
    "C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.SageCrypt.xx-5ffd631d2e652487074b273c7199b1b3e619fb975cbd0ec82c9c9af27f250276.exe" g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "2y3tcrdB" /TR "C:\Users\Admin\AppData\Roaming\DbLrW8nl.exe" /SC ONLOGON /RL HIGHEST /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3468
- - C:\Users\Admin\AppData\Roaming\DbLrW8nl.exe
    "C:\Users\Admin\AppData\Roaming\DbLrW8nl.exe"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
    3⤵
    PID:4632
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
  Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: MapViewOfSection
  PID:1084
- - C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
    Trojan-Ransom.Win32.Shade.oaq-556385396b3383b85bc2e2e9fdf1c3bc8801d4665aae745b0120a4ac4d95aaa0.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3728
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
  Trojan-Ransom.Win32.Shade.owu-bb6f856ad48b43e231364df2fcc37ec2a115335f4a0d6e9968b709ce163d13f3.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:1636
- C:\Users\Admin\Desktop\00362\Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
  Trojan-Ransom.Win32.Shade.pum-fb814be5ad2692c8c833d98abf8d15345b95d09a95ac5abfc6d758c9786fe4de.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:1344
- C:\Users\Admin\Desktop\00362\VHO-Trojan-Ransom.Win32.CryFile.gen-9a78b34c50b14d1da2e250fa837fb3afeb767d1fd0e2708dde3dc597fe225456.exe
  VHO-Trojan-Ransom.Win32.CryFile.gen-9a78b34c50b14d1da2e250fa837fb3afeb767d1fd0e2708dde3dc597fe225456.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 472
    3⤵
    - Program crash
    PID:5092
- C:\Users\Admin\Desktop\00362\VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
  VHO-Trojan-Ransom.Win32.Crypmodadv.gen-b4fd9c26812533a547a864fb82fe60ddf821f98e1eb57e0dd90fa9278b884a2f.exe
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1768
- C:\Users\Admin\Desktop\00362\VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
  VHO-Trojan-Ransom.Win32.GandCrypt.gen-a5a9138278c0357d815d9ef46cfe1b239083db73c9be5075068c69355cb84f2e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2176
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup nomoreransom.coin dns1.soprodns.ru
    3⤵
    PID:4340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3540

C:\Windows\SysWOW64\sonickey.exe
"C:\Windows\SysWOW64\sonickey.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1400
- C:\Windows\SysWOW64\sonickey.exe
  --fc71f065
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2208

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {7007ACC7-3202-11D1-AAD2-00805FC1270E} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion