Analysis

  • max time kernel
    239s
  • max time network
    238s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 19:37

General

  • Target

    RNSM00354.7z

  • Size

    6.8MB

  • MD5

    00d2c7493d9c514fe2a9c0d8b87d1484

  • SHA1

    f6b63772a282555c675fca567f6af3a83f2d4df6

  • SHA256

    2d0d54a8f9c47e533b57d6ef8abe888a55d9640864bf1177be681681fd5b7201

  • SHA512

    45aa77f6e9ab24711d3445c97729174d0f364f79a505a4f5d5aed7153a39c1d36504acc7fd9228e284572440b6768dd3280ddbd26864568ede316a0e0554c4a0

  • SSDEEP

    196608:euIhlBI9Bcp/mHqCMUcQnBkLie+ca5Xs621X0BrWMmP10J0wiJ9PdQbp:tIHG9BcuqRUciB6dV621oDm10JJIVQl

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MEGworld.,

Extracted

Path

C:\$Recycle.Bin\SGTSNWVI-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.1 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .SGTSNWVI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/eac637f08eba8546 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIfKFC8F6poxRHn8sAkHPYKcmNutG3gU+ZuGFGtbUkMccHbvE8sOeLD2/OPoKWXbY9LYxVHCN2SGjheigiCqVMKQVUcENWP1py00gbivmdel9hSNOKO7xYgNlXn+0P9olsfo1aYkDNBbd6SoI/deghb0TF7DRlAoxsVQbNgh1VpGFzhyNGrFVG38V2KHG60QZZ/n6Uxs3n6jumlKm0dWM60Im971zLJjmQjxRqkOjr6jsPAi3bCPLN6cIVteWBw1rkAquVOj9pztIN9a/C8I4DBrM7JIZEPBmKIqkto1I0dw2MZiBzQr2jYXziesFNU3juA09aUAZfPu47cGje8oMnE2HeGCqvQlqnM+ywtFOu1lcOZqtiK9Gi7eVHkDM3mdlgQwtpo7fxKVGQZ7bjmpOUzGvwokuP13aRvTmEx2TWBty2odu9RGnCoxM2JuTpPI/qsGITEc4oFL1PhZXdWCJxRqTBI1YA5mEEwWg5dKdEsvgueG2V2wDDt7gXPUbcg0xhIlwaLWnsZKd7EgNI30d5xadPbk+0h+/U/Uc1Vv6H3LoThzEzjNyU5kEY5beYiZlb6QQvfdyOdmfl9WCRosQhZXXasWlz44n5Gkk47tzVnvxkHNlmlB9d4WCe7Wwly++UkT+9X0ek74D2lG1Kx4WXSSwhfkh6Tynm3bxSREFwFFFf7Kp5iuGKPXjP8Qs7Rx3hQ+1G/wzvW7P+Tl+MyIsWGQyNRKQuUzdiaCEZ5B3Fw7v5fKD3aO8U8dyPUH4l4atDXtHDqBrxCz8Cnw31ZZ3vbAEPgYJtY463LfDv2opNiLKFzzp7ESUoHbUjuPBWQmbVJ8wbrlWpilU1S61MElbbBca/ylHv93GucQ+aGQZia3+h1gCFHJL9bhorYMQRdBkosb5JReCl53aUy4xYmixMgHpxrN4pxa4b8mHkOlQTnMFZ0Gbyx/I8lxY4IAW/auiS5bJNAJ+DOk1mye3iq+eNp5E28bYILRbwao5OK8XwbdVQHZzoMAw3fQcMW8lx5BWJQgy+Z+Qjcz34WjW4WItO3USNxqEDt+yMf/6cKKFJKWCW/qTEnqpeJsKE1HLh9R/eflKqnUClWmepPeQ/ZiVdP6aipNw7BSpPuduH3V6JNlg5aY8KGvKBg2td4Q+jFhAHKrtvfrkG1az3K31FDB7D0UR+k7uWdgWCP2+mmj+ycvuPjqmfFDBhvTUlKljAI6rt7OZpfeiDQ2k1IEiQmGrGLt94IjBMsBKBWsqoAMlnQUXmyUP5OQijYnA8q5BztFL9ETpPZ9HPYJe2uJfMiqDCUYf9HVbxlM9IgsQrBW/xFgWICuvEjSrONuY//CZ7iA8F5HlmATZSVhF6nuPQXrwPF9HLWCiR7s4gH5pfWsH5tY9jjixULipP9kXbPwjxSF7g45dp+ISTvcYJII5/3vJkr5ATyR78LzA/dHFFc7IL6P90T3m6PAuRi/F5KLF69bXfp8B96DLO6ToTxNH6s+rMoa79w3jfrzyW69y+1rxhWRWWJWpQhznkIlmzVc++jP2vCJdrviM/yqAZiKV9+bRjLQUrzUZZVoEZu9iOb5QiXyy4d2MEALfJGBTeyU03lYKFS/dyrpManmhVYp9fJ3uomnJ/I/owf01t47ejJ8+C/9ju6hObXNVH2fqOjBHV1ywTeREUqL0tkZR+h+2+ri2/vJ/VQJ4Bm/3X0Lz4c2DJdEYpg2U4mM1M9YoWROBGAlpifasMUv2/0GbEYhEt7hPUhls9QLA/yOxrQVRoMGsgonIqKYj8kAOOnHqYoEihImYazF6AaqjZni4g3MX7Ggk2AF8cmgCNEXQsVQdoMGC+kCFSCZUV+FfDCYpi8U+360duUq0Hxi37/5KzCC62wlJxe/08v0SGGFn8qTG9n/7hlFM+5LsBVFnwIdcg4RGA6cd4BqIsB4nDrgp3Sz/bQfc2XG1iZg/ZxV/bIcTfjocSZ+6C3QX/zmcCxZaoelZpxS8O6iyTwk4CYVsVfqsxcW7mriYRRRsxIL8/YyO7YX40DYmkx6X7X43qCdpIM5Ht1jQVliQ3GD8ADzzX3DpJfzyeIuORAF6p9sn19fBGPJb8BAqCC9TcVFk+NaRDy4JSw4PgdVg1d2kHDHQ9uSv52Y0R/xCbxW8YNeTwBIrMTNQZOt9Q15iPci5B4msxirvBLFfrhTxQauua3EBZKLHBQAnjctbh+AVftC5HhqpsEstIJThAnYd6MnjNPWES7Kv3SzGBFZZFI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDm9MzJPZDQAuuVseDJRXLIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSUyCUtOmJe9AOBiNq+MY+R+i3ZLGemYWRhEeFP93y+vNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwArtsypS8E1fylWTmW7q14GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbJ0M1g4/7uRQeyoEinT3CrvrP9dFPEuVKMovLq0b4AnecHqVubCDEZSsSLSNnIyaZEI9b5408FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/eac637f08eba8546

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

mrz.myvnc.com:1177

Mutex

f7d73a561f889dd49782785d2334f155

Attributes
  • reg_key

    f7d73a561f889dd49782785d2334f155

  • splitter

    |'|'|

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Gandcrab family
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Hawkeye family
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Njrat family
  • Troldesh family
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (271) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 31 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 4 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 34 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 44 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 14 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of UnmapMainImage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00354.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2980
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:888
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe" "C:\Users\Admin\AppData\Local\sysmodes.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\sysmodes.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1224
        • C:\Users\Admin\AppData\Local\sysmodes.exe
          "C:\Users\Admin\AppData\Local\sysmodes.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2960
          • C:\Users\Admin\AppData\Local\sysmodes.exe
            "C:\Users\Admin\AppData\Local\sysmodes.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            PID:3860
    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
      HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
      • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
        "HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:988
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /tn NYAN /F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1268
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1040
    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe
      HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:2852
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe
      HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Users\Admin\AppData\Roaming\38B42D9B3E8345F487893\38B42D9B3E8345F487893.exe
        "C:\Users\Admin\AppData\Roaming\38B42D9B3E8345F487893\38B42D9B3E8345F487893.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        PID:1132
    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe
      HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:2352
    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe
      HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of UnmapMainImage
      PID:2824
    • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe
      Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\windows\explorer.exe
        "C:\windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\Desktop\00354\unit.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2828
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 0.5 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:988
        • C:\Windows\SysWOW64\net.exe
          net user administrator /active:yes
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1240
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user administrator /active:yes
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2520
    • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe
      Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1128
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe
        "C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"
        3⤵
        • Executes dropped EXE
        PID:832
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe
        "C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"
        3⤵
        • Executes dropped EXE
        PID:1480
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe
        "C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:860
        • C:\Users\Admin\AppData\Roaming\nvtray86.exe
          "C:\Users\Admin\AppData\Roaming\nvtray86.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • System Location Discovery: System Language Discovery
          PID:1228
          • C:\Users\Admin\AppData\Roaming\nvtray86.exe
            "C:\Users\Admin\AppData\Roaming\nvtray86.exe"
            5⤵
            • Executes dropped EXE
            PID:1512
          • C:\Users\Admin\AppData\Roaming\nvtray86.exe
            "C:\Users\Admin\AppData\Roaming\nvtray86.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1144
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\nvtray86.exe" "nvtray86.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:1004
    • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe
      Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of SetWindowsHookEx
      PID:1268
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe
        rojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        PID:1584
        • C:\Users\Admin\AppData\Roaming\Windows Update.exe
          "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:760
          • C:\Users\Admin\AppData\Roaming\Windows Update.exe
            C:\Users\Admin\AppData\Roaming\Windows Update.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of UnmapMainImage
            PID:2336
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
              6⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:2952
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2192
    • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe
      Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of UnmapMainImage
      PID:2452
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
          PID:576
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe
        Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2704
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe
        Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2644
      • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe
        Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of UnmapMainImage
        PID:2964
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:292
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      PID:1848
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2752
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        PID:2708
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Modifies registry class
        PID:2284
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        PID:2020
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        PID:1788
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        PID:1420
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        PID:1072
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        PID:1992
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Modifies registry class
        PID:2788
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2764
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SGTSNWVI-DECRYPT.txt
          2⤵
            PID:2236
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:2508
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies registry class
          PID:3020
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies registry class
          PID:1364
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies registry class
          PID:2424
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:1472
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Modifies registry class
          PID:1736
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:2748
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:1148
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:2216
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          PID:3016
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Modifies registry class
          PID:2388
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:2600
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies registry class
          PID:1888
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          PID:1552
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          PID:1600
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2008
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            2⤵
              PID:1476
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Loads dropped DLL
            • Modifies registry class
            PID:600
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Sets service image path in registry
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Checks processor information in registry
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious behavior: LoadsDriver
            • Suspicious use of SetWindowsHookEx
            PID:2664
            • C:\Program Files\Windows Sidebar\sidebar.exe
              "C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
              2⤵
                PID:2532
              • C:\Windows\SysWOW64\sort.exe
                C:\Windows\SysWOW64\sort.exe
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1080
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\SGTSNWVI-DECRYPT.txt
                2⤵
                  PID:4052
                • C:\Windows\SysWOW64\NETSTAT.EXE
                  "C:\Windows\SysWOW64\NETSTAT.EXE"
                  2⤵
                  • Adds policy Run key to start application
                  • Suspicious use of SetThreadContext
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Gathers network information
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: MapViewOfSection
                  PID:3084
                  • C:\Windows\SysWOW64\cmd.exe
                    /c del "C:\Users\Admin\AppData\Local\sysmodes.exe"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2768
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  2⤵
                    PID:3596
                  • C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe
                    "C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe"
                    2⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2568
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c copy "C:\Program Files (x86)\Pmv1lgp\helpyvntivh0.exe" "C:\Users\Admin\AppData\Local\sysmodes.exe"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1752
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\sysmodes.exe"
                      3⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      PID:3048
                      • C:\Users\Admin\AppData\Local\sysmodes.exe
                        "C:\Users\Admin\AppData\Local\sysmodes.exe"
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3704
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {71AE53FA-7CBF-49D3-9F60-4D985392A4F0} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
                  1⤵
                    PID:2176
                    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                      C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:2604
                      • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                        "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3216
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /Delete /tn NYAN /F
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3780
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 1
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:3812
                    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                      C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:1476
                      • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                        "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1676
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /Delete /tn NYAN /F
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:4012
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 1
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:3324
                    • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                      C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      PID:544
                      • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe
                        "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:564
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /Delete /tn NYAN /F
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3528
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe" /sc minute /mo 1
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:3568
                  • C:\Windows\SysWOW64\DllHost.exe
                    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                    1⤵
                    • System Location Discovery: System Language Discovery
                    PID:2884

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\$Recycle.Bin\SGTSNWVI-DECRYPT.txt

                    Filesize

                    8KB

                    MD5

                    29e135c9253f36bdfbf470486c3aa1ab

                    SHA1

                    2a034928f1af253fb29771fac990972f17fa998a

                    SHA256

                    c2e7388540f0a445e87d39c42112c9affec1b10df54206798ec7a772933ce2f2

                    SHA512

                    0e1b51eb230c9c6070dd015026fa80ae16e141b80c1cc3c61011c7d4dac2a045706f0b146a47c74dfdef0e0ddca546b9c345e6d57a3c5c448c0a7aa6d9eec661

                  • C:\Program Files\Common Files\System\safe.dat

                    Filesize

                    631KB

                    MD5

                    3240d73d8fbcd35eaf18e86adacd24e0

                    SHA1

                    6a36a22652aa17a2fc9e47a97ebb15187695215c

                    SHA256

                    9666bc0693c13514a763f8dccc854facef07154e28e64f5711b84e92ee1546c9

                    SHA512

                    004a703632e46abfe722c64d72d1f3c8fb83ce3b08b296a4eed7a51db71bb8f6f1cd54d3090b57c6272e0d0e0ab5b5e9fcce62e2c5165381f09d4d2a07ff8a8a

                  • C:\Program Files\Common Files\System\safemon.dat

                    Filesize

                    207KB

                    MD5

                    84ce62cc88285d109c3ae0f4a12f04ed

                    SHA1

                    7aeef48a71a179a37d449642b0dae8c006e0054e

                    SHA256

                    68996c046372147c1e05869fc5478c391b41b243dd0beca564c863153371459b

                    SHA512

                    107974d9a500bdda4bfd17dbd44430c1d72f4f965b08874dceeefc66cc23f654d6e36f2920f4a47110edc4886cca6fa2aebc1f2e5fa125ad9e1f411f856ea4d7

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

                    Filesize

                    1KB

                    MD5

                    448279ebaf402d8cb8f466fdef5312f7

                    SHA1

                    54760754cf2bc536a106354afd1eea35259a6d09

                    SHA256

                    c38513e8e6d5506913478c828f8ed1d82df18bd99ae5d9028249340ad1436215

                    SHA512

                    c08993870d96dc36ce10b1008b8e475005ef5b2f03e233ca3f495d4235eab6b5393ce76788616e9d733743397b928625df37cdda198b4e959b94416f6b023e39

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

                    Filesize

                    1KB

                    MD5

                    3be8a455432a097a1c049f1c16c28728

                    SHA1

                    fc286eb20b95b456ac4162e84d51d218253dc298

                    SHA256

                    c09cb831866be7ffe22f7434fab9b0256127203a48aff10d34ff37c9a63191df

                    SHA512

                    89cf46b9e45089ff24268bc0680b3b33af18d5df4424fff32decdb5244282d1e310aaa5023bc7ac82f2c67971c50100dd8e3d4f1ab1a69a0cfe2aecccc6a2634

                  • C:\Users\Admin\AppData\Roaming\38B42D9B3E8345F487893\38B42D9B3E8345F487893.exe

                    Filesize

                    111KB

                    MD5

                    3500951d4982a805493be99d69ddfa09

                    SHA1

                    a7bb9526a43e85cb93e1231f8c9b478f966c2dc1

                    SHA256

                    3c940ccba356b8df109f05667958d07283860410baa388098174297ba893a14a

                    SHA512

                    fd0555fde958849ac0af795c7d0aef7c544dea619a770a2625b19bf800b34f2f3202e1fd15cad1314d2dbc0d1995770534b5c7292e605bdf2a1f3a8c4e6da19f

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs.js

                    Filesize

                    6KB

                    MD5

                    24fdf0dd36c2a2a85d580c4acc4cff8e

                    SHA1

                    fe010123dad40a8c267d1e29d7ec27c6e05ce23d

                    SHA256

                    c912807e382af4c54b483232d58c2beeb7254f94604c3008894388f26fe55562

                    SHA512

                    d3a7d7ffd8b7b29e4c8d73f5732c3e7625ff0729e8eb46cb615c4b9f8b23a246dd7287ae59a04c94a76874ab9188a29bffdcb53e6f32db61dabbd145ba8cb34c

                  • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Blocker.gen-8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2.exe

                    Filesize

                    399KB

                    MD5

                    ae26c83889f494cc28d7064a549cb767

                    SHA1

                    364520aec2321908734853bc3f786f71c8e52f39

                    SHA256

                    8e0d4c42e81a2f4e4b772640d3c7a87025458e6e9a569446b1ea62bafbbad3c2

                    SHA512

                    7941e3514059b58f7dfa191d467b07a8ba664961b9dc6b81d66fdd9b38df48414f907992fbed5d812dfe4853563dd56f89e26d97b68453f9b80df66f83ef2c44

                  • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af.exe

                    Filesize

                    361KB

                    MD5

                    8d6ef3dea0b0db7bd8fca84b5f9115fb

                    SHA1

                    636b919f08ff5fef787dd680b1c3a501af9575ff

                    SHA256

                    a7f6c9949de3a2e08952286f98966eb228c047d517bd6f76e4443bb8144725af

                    SHA512

                    8d7ccde2372d912505c81ffc7d358b6660e4f63c5ac78b786a06ab2a0e022f71088fcd8306a1e81d9b2d14b82cb6948ae03e1ea709d6a7c276ed3225b62b6a93

                  • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Encoder.gen-05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae.exe

                    Filesize

                    97KB

                    MD5

                    fc686bacdc788d5e5bb4798de6ad928c

                    SHA1

                    52a98a1e741efffabebc926a8261c510faee360c

                    SHA256

                    05f099ff33011ea42ab51af5879fb72cd76185dd98dd8596f041654de9b210ae

                    SHA512

                    8b92981ede59a717aaab5068cdd8b6c76445c176521ce7c79c316dec509a593338a9dcdeb82105e63301be55e7ccd140e932ee5cdbe7adf83654de3516922e8c

                  • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Generic-a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1.exe

                    Filesize

                    204KB

                    MD5

                    fdb11d8d57469c9d39fa937e0575bcb6

                    SHA1

                    4e55b85e68488eb30e1904757a7297e7c47016f0

                    SHA256

                    a7a15cfa6e622c2bb9f59ed1801f481dfaf2bd52dfdb10f94dcf58f546e9dae1

                    SHA512

                    676694e85bafe25e3dbad1f3c879a97eb57d2adea62b1007a96ee338d62907d8208fe198c806d454c995421ec8b79817bda80e5acf870ec52c8c9b8a6b4e0d68

                  • C:\Users\Admin\Desktop\00354\HEUR-Trojan-Ransom.Win32.Shade.gen-748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b.exe

                    Filesize

                    1.1MB

                    MD5

                    b8636a7e4e306e86e7de2aee7656dc26

                    SHA1

                    4f515fa184cb43e5253b244efb6ecfe03c5f2423

                    SHA256

                    748a19ab3324da6e9bb674793bd7b2bfa7d8794e779514fe08558b967309bb7b

                    SHA512

                    57ba9baf21589c13bff610f8cd20df5100221ed9ab5e796fded85512780d8b78c76c7d811b1e8d83f9c27d65692b651dbd0d35bd03d1c029b4fc2a31296e7209

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Bitman.adnq-b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119.exe

                    Filesize

                    1.7MB

                    MD5

                    19eeb09249b44d9671dd829266df912b

                    SHA1

                    89ca0183f09b2313a0896dd0d10fa876056c1304

                    SHA256

                    b9d7bdf16871f375df142bd3d9573b4a5b31e2159d89cb654cd104a993b5e119

                    SHA512

                    f995240c16838a0f97f8957e5aa6041edf4c83d33c22b29667197f169a967e67514bc17fbee1c41ebf2dd171f48752fae1004f91210dd66329e94359ba5da650

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.jzjr-78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097.exe

                    Filesize

                    696KB

                    MD5

                    4e7ed4c55b73cbca330efbc3e1ddf109

                    SHA1

                    2fb12e06419b6afed90b53e0de5cbd47a1268f20

                    SHA256

                    78df1409949845140fc739da217d8568bf59337d566ab5a4895262b539fcd097

                    SHA512

                    53205b41f575384e12924f4e4b255146f0852819a72b32e7789dd217c80d07cee5b47425282fe1735db0685eb6069587c94e65484e72dea8e937bca7212680e3

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Blocker.ljpv-bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c.exe

                    Filesize

                    950KB

                    MD5

                    1efe7c7b4dd5297289ac9a87c6f23a3f

                    SHA1

                    5485297304d6a914f809228c9edb3ae626fd7476

                    SHA256

                    bd6a1aa3cceed8b99f4b2e905712ecf60f8021de3898756df185a0018e0b4e2c

                    SHA512

                    bc6e34063018a89866bdf940c822710c242c06dfc358e08792a683c0a1040cbb5beeb9a31591c94fdc32cc5a853d86547155f5c5330b0a0b58d6e69175e180fe

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Foreign.oevo-c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826.exe

                    Filesize

                    1.2MB

                    MD5

                    26321aa5e0b8bc9642a12f4be4d7884f

                    SHA1

                    2478b68d5d7c70514cccd5dab962326e9a387671

                    SHA256

                    c5114a83ecef9fde37dff6e6fc10cf13102216fbff084fdbc5c1267510e95826

                    SHA512

                    c86bfaff413a30f477d4217adfad5642a7ccbda4b5c29bcef360487e302b555555710db4883e6cbeae613c053ef096c9f3aa4fee35ea1411d3c8743a8d50d146

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.GandCrypt.hhv-e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f.exe

                    Filesize

                    622KB

                    MD5

                    9e7c12683e96306a33d083c6b7204665

                    SHA1

                    0ec9ef4a1bd676f11c5d8c5bde7599ecce62ba80

                    SHA256

                    e806636f6240e952f4540c19fa26ffe171cb3f0a87b7bb6c41e48e4db5aa632f

                    SHA512

                    4515c508c46933e9700b66f58dad6717fa5f216ac09954219afb1cb4be2bb98e703a16b6278f385fddfb65249d1949d416dbf5f34bc2aa507eb433cb9774ae70

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Phpw.zf-67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41.exe

                    Filesize

                    942KB

                    MD5

                    e6585150371edfcc67f233dfb7c9255b

                    SHA1

                    de4d8774b6db30a5733fd7a0c2c672cbcf6439eb

                    SHA256

                    67e535e8ada1b3a83e9cd9e35ee4d8d15037beeedc8508c5699ccf4a0fc75a41

                    SHA512

                    695907bf3ba9fa52b64c8dcff398a0d8dab45d07843f78b5bf2025bc463145230557f584b653742aca8729e7bca31a59c7778d644d30dc9c0ee1e6add1582e3f

                  • C:\Users\Admin\Desktop\00354\Trojan-Ransom.Win32.Shade.pko-8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6.exe

                    Filesize

                    1.5MB

                    MD5

                    1e287a45c732a13d06d635e1989b8cb0

                    SHA1

                    6787c99908639ee40c29aae2047ddae75fb51550

                    SHA256

                    8dd8593366530bd2c626de06da3b3833e6256a5b67558ae9da44312d2f48cec6

                    SHA512

                    42c01c15fac390356031e1afb47e99de2b53172e2ffc25012a0309921421d7f748962bff3946782ca1e04b408d10c1d2d659357ea8b07d5d8aa3779de7e38460

                  • C:\Users\Admin\Desktop\00354\unit.bat

                    Filesize

                    211B

                    MD5

                    5008167e7d7b55deedb3702b59200955

                    SHA1

                    c113ef5be30871962c682c428f82b4ca7896a100

                    SHA256

                    70049e90a5dd653892b0500e23b19246feef56bc415edd9f511ad33e11844a2f

                    SHA512

                    ea30fbc2451607f783a15bb175a9ec1dbdb160a8848ca8366901980edae8a002238594299e7f36de564b2ac222194b8d382d6f840cbd9a987b72b7e72f87173d

                  • C:\Users\Admin\Desktop\BackupWatch.odp.sgtsnwvi

                    Filesize

                    432KB

                    MD5

                    38d322503903ddf1db2e6f1767f36a13

                    SHA1

                    ec52ee420458168d4beff8042b07cbc24b0be137

                    SHA256

                    b90b5da465fab401ee69acc3d415dd581d2325a9e7553f1655a19c6014a697c7

                    SHA512

                    4d5b366dab051268edaf6a3a0bcf6ecc760a8118115d9cd6b49f05715d02e0222bb803ed3db95fa0980bca32c7cb4750b5625da7a366b219982f34b5208b6de6

                  • C:\Users\Admin\Desktop\CompareRemove.aiff.sgtsnwvi

                    Filesize

                    609KB

                    MD5

                    36d18faf22f006622228da8ef1eebc99

                    SHA1

                    7521c81a12b478e6e22b1b7a4d05576e1a62fa23

                    SHA256

                    6391ac8a276d3f37b775cebafb79e420fab55309e3ecdbfc41c993a3efd3b6ed

                    SHA512

                    e00b385e48978aecd7873816e026814b9eb316bd9db513b17d8286960ab75806911000959a1a339e4b809c574357ae728de88fa002ac516c5b0562b11eb4544d

                  • C:\Users\Admin\Desktop\ConfirmRestart.inf.sgtsnwvi

                    Filesize

                    736KB

                    MD5

                    be934f32cf6fa8b2a67d5bd5767155a2

                    SHA1

                    8ac74d0a5d81758e693685fc6776e3a642ff5ffa

                    SHA256

                    faa2f94fee743ad67c35fd0ed26aba506764a101754983c6e0ad4066b6c9fa4c

                    SHA512

                    4404c197ec2986907bff809d0f0f7a2f040cb4c86fc2aa5de94e9e9eed78a9ea143388c5271e55233559e6e5a39199d3672d5836ad586ee790a300cc6e40962f

                  • C:\Users\Admin\Desktop\DenyImport.wmf.sgtsnwvi

                    Filesize

                    406KB

                    MD5

                    ba2150f0e87d8c9266c31cbdc9267956

                    SHA1

                    fb7e013643064fabe83f1f60a6658d9e17c6491a

                    SHA256

                    2770524523f868af6931a8454769bc055e96e6a0f94c0cb41c558ac0050e94df

                    SHA512

                    6953214bbb75e22bd59a968fdd3d141c3960f76aabd734e084222f5f2940cb2e323c31edc13520199c2e70fbae3870044ee9d2727924485a44457744f1980359

                  • C:\Users\Admin\Desktop\DenyPing.wm.sgtsnwvi

                    Filesize

                    660KB

                    MD5

                    04c51061e1be05a78b271cbe57365b03

                    SHA1

                    9c225c18dd035fdf428e8dbabd0ffb8005d21d52

                    SHA256

                    f7d99f211e79e79498563c44475b9d2da175f554dd85cc5cf0012bfdba9641f4

                    SHA512

                    bd348c24996307df5207dcd86d81a72dc068a5912af36ab4164f818d29094a55ba5c8a0198c262b507348940490f4a3e0a7fedc0908cf511bc4bb22d3abc3513

                  • C:\Users\Admin\Desktop\DisableRepair.pptx.sgtsnwvi

                    Filesize

                    482KB

                    MD5

                    f235a4f6c0cc10969c3ef480d5ccefcc

                    SHA1

                    bc9a8683da6205960f256d1b6a4f8b197aecbdb5

                    SHA256

                    8e6bb52e1998b29ee0f76cb88378e1b7d20618810eeeca8509f46967d6a381a5

                    SHA512

                    249eb9830cbe013949a9563f89b489753a41b9e02d1912e93ca797025546c252f7a771e2035d05974acfb9c4bd5587f8e9f1bec9be0710168b44960d3d5d55a3

                  • C:\Users\Admin\Desktop\EditMount.potm.sgtsnwvi

                    Filesize

                    457KB

                    MD5

                    6966c10ac1f76e1fff87df0d30603789

                    SHA1

                    2565b89e2cf7b7a8309cfa08898cbda2ebdce550

                    SHA256

                    ba2e7460042ac55733e1657b2114c1e5aff1b744be37af16195e1348b811a7ad

                    SHA512

                    62dcc7f708de5a2fade034a18b319f0921ee61b5fcc9402bd446b134c0be25791b4a815c430ba26c2f520d93132f5f1a2a4868a8b56d1d68d7231d72d3db32f6

                  • C:\Users\Admin\Desktop\GetUninstall.wmx.sgtsnwvi

                    Filesize

                    635KB

                    MD5

                    80c2a87f7fb98abd00c0bed86c72bbf2

                    SHA1

                    faa23a3219f03585bb437c7ca251bca586b8d692

                    SHA256

                    836258b8b3d085082eecb27c71bc064b371f696dfdd2fbf6965bf5df567aabe0

                    SHA512

                    6b2fc045bc7878efb7775b904fa0ad1641fc2e0fb3f465f6ecc8da14f67740e3335570d3542ba7a5617f389fb2bda5a68ffbc563f2631e9b1c824259fdaa2821

                  • C:\Users\Admin\Desktop\InvokeDebug.cfg.sgtsnwvi

                    Filesize

                    355KB

                    MD5

                    5618d121406c21e130f40d67e78df009

                    SHA1

                    b7fbe0efe713e6aa9a35b18d405175ebed003503

                    SHA256

                    f11942ac0c4a80736a625b79b53ceaa3ab0a9d65b70827b5b672e08af73fcb39

                    SHA512

                    ef8050835a31dc2865b6a28861fb9bcf1bec86c1bb690d0878b6ad58cea0260b93373d82bb61d0de3dcfeb673ad72754bfb06b75a23670c411230d5596f53d80

                  • C:\Users\Admin\Desktop\MergeAdd.docx.sgtsnwvi

                    Filesize

                    13KB

                    MD5

                    c2cdab47d15985c80992fba9dd4e6e9d

                    SHA1

                    3d9494a3f16a2c676b765380623d471ee77c769b

                    SHA256

                    b1c7217a7a047293789b26a547a0fa1541792e7dc4ac0c071dc4fd574201683c

                    SHA512

                    93e67ebc44b397b4630b2f6e2afb17945a7c4d6627d836e6318feff48481ee98aaa9b8de2b1905c25e4cd16e9f7539003284ffda2716bf5c229c91498b562fcb

                  • C:\Users\Admin\Desktop\MergeExport.xlsx.sgtsnwvi

                    Filesize

                    13KB

                    MD5

                    bb623f24299b94865938c657786cb7c5

                    SHA1

                    19cb130873dc5079c04aa602cdbd68efab7d55f4

                    SHA256

                    49fda10c8ef3f90e220e670aa071cc152f627f086f932059196766bd243b3787

                    SHA512

                    37e052cfa775251fbf09a0e7c3cb80a31c3d46252c5cab6fcc6e571da8530ed013b93a855ae857ac704aa673e13dff5f3f176aedc4c8a9b67b3bba716f309916

                  • C:\Users\Admin\Desktop\MoveGroup.svg.sgtsnwvi

                    Filesize

                    584KB

                    MD5

                    0f51dcd2c1b715bac519b1f3d8cba329

                    SHA1

                    a51bec511b34f4f82a8f767d600dba16ced21bde

                    SHA256

                    2f365b5338ad998f18076924af50739a3b6900958b15e5d1a3da938862c0d2c6

                    SHA512

                    3e4458e2d618dd2ee6b7422a4cad7293f3205ae771e5b8ecbc9aef31915ce748534842c2343579e7b77eb9bfa5c5f8b0beb7da80a94f9f85600fb2f118ecd689

                  • C:\Users\Admin\Desktop\NewSwitch.mp2.sgtsnwvi

                    Filesize

                    762KB

                    MD5

                    e5121f99a9ecd2830d23bb3e4b033b8e

                    SHA1

                    3eda08c24e7a9cb016e9949c316596e7eebd5520

                    SHA256

                    678d9752840b89e4f93725d82ec3cb67ab4931ea0f999fa7f4db43545b93d183

                    SHA512

                    a05df979ab5311e9eef9fb8478513ea28b0dd2f5d1b5aca826e885fc065b5d3c527c77d512fb50b2e97743f96c3aca79338765c7b62e797549258af88233d8eb

                  • C:\Users\Admin\Desktop\RedoSkip.vsx.sgtsnwvi

                    Filesize

                    559KB

                    MD5

                    89b81fb8062aec7939de1d9f7c3bf06b

                    SHA1

                    045973a98eaf82daa42036a66265db27c94fd2b5

                    SHA256

                    5d25df7b42f2c413af297eb40897e1a3b5d10043d84736437b765496fa429c1d

                    SHA512

                    634df76a70c5234a3d8f4b4a424fa75fee9e9d1e03ac056cbeacb0531b9b014236b69cd3a14365a436f74400ed6f39484024194a5f660d3b707f35d0e55e4d58

                  • C:\Users\Admin\Desktop\RegisterSwitch.gif.sgtsnwvi

                    Filesize

                    1.1MB

                    MD5

                    35c3596d4e55d06dfa9a905682dc798c

                    SHA1

                    2ac7188320bbfe5e19c690ba17af0a7a1aee9b51

                    SHA256

                    fb9b83ac6db6d0be0c790fca1b6d2c425a131904f5ecfe954ff3489fa51d2335

                    SHA512

                    56d79c32aff4d7215e841d5a72219a038c4251a6f41394dd7c0a378aebced30b8737af6c78637f7ea43279bba2e3171ef8a920a77a8b2abfad2d06ee76a1fbd8

                  • C:\Users\Admin\Desktop\RepairEdit.ttc.sgtsnwvi

                    Filesize

                    686KB

                    MD5

                    73fe0867db3e236e03617c6641bfc3f5

                    SHA1

                    b460661a8db684644bbfe7031bb24fe970f6f075

                    SHA256

                    1f4b2434a6e9c8d82b4f0b811a6fc84e503bda0860672f8a336e83b443038574

                    SHA512

                    14baf159a57c52aa956b14db8ef052cfeb44a55d2ea0481ba9147aaae5be888119d2788a504a77e421c2fa980c1bb5d6c29f0bb836e79d2beb479d15fdaee787

                  • C:\Users\Admin\Desktop\ResetRegister.wmv.sgtsnwvi

                    Filesize

                    533KB

                    MD5

                    7a47e9efbb97aba6eeaf807df6cbcdf9

                    SHA1

                    e67b723e4684230b0640de52faf53107bf548105

                    SHA256

                    72be0b5cc345007d554f3d3a3fae1f2fe0374f041f86129dff8db29dce590877

                    SHA512

                    4927108858b37fd7ab191c1dd4ba2b505ca6e222237750e78a966319b5da246cb87736e6b9d6cb54bc2aca3f77b6471d687c47a2f93dfa4102299216f9a17c39

                  • C:\Users\Admin\Desktop\RestartWrite.vssm.sgtsnwvi

                    Filesize

                    381KB

                    MD5

                    04fa9e1959fa3402ef7debfe8818b513

                    SHA1

                    4b3d80f42cf7315f7f3316ffcbac46c0f9132c3d

                    SHA256

                    3cffcbec8ff6be5440f34ca0bb2d5abcfe4f16042ac54698ebb6e78191f9e2aa

                    SHA512

                    445414380ddcfb53ddf12dc167a14b13d946ee350a2f7288b6e571dc5d0dbaae9c5c8353df36e845c8a7204d00be0c7d08597f270c2a491e28e4c4cb4f2f219e

                  • C:\Users\Admin\Desktop\UndoClear.shtml.sgtsnwvi

                    Filesize

                    305KB

                    MD5

                    f62860e84279edc32138a34ff7efbac8

                    SHA1

                    194c8d0caf236e6ebe9b3e849b940e9a3962da84

                    SHA256

                    0401afca1fa22cef4017f4b4232f0b55eb58d44af9f2db98133a2bc1b77a1183

                    SHA512

                    08cf5fa2228b5b37b7977d102fd45a85f92dfa198f226b0e967594d9757f293e81f2edcc1ebc3beb4e0fa8fa1b1981d7820eb655405ded9c7ccfc2cf8bc2c377

                  • C:\Users\Admin\Desktop\UninstallSet.M2T.sgtsnwvi

                    Filesize

                    508KB

                    MD5

                    93aea99cbd40bd293d35fca8b083a34a

                    SHA1

                    4e83f2751339e00748a8b3af3a1531fe203c2d26

                    SHA256

                    0eb6fd8178ec1610e3a5a39e7ec945903404554dd474de5c4fc7b0cfb765394b

                    SHA512

                    103a73f187a867ee51c6da325ffbbd5775b621f5b7bcd41c784ed370d17746091ff2723bfc6cbbcfa50d9f265ec7ce628325174d70d1ed35170241d73794d758

                  • C:\Users\Admin\Desktop\WatchRemove.vstm.sgtsnwvi

                    Filesize

                    711KB

                    MD5

                    1c89365a2b9f2a9c016c35dcc106e34f

                    SHA1

                    1ba3100ce9421d3ec0e83abde40bd088ab556a91

                    SHA256

                    a5c4be767c5464849dcd5a166dc101c386902c5eca3fd68233e996be2a21378c

                    SHA512

                    75f45de5a39c0b00db1ee1a814c09464d119cb525a2947a2ad8b09eff0fa44656fd49175dcf435841db3e4b3385c811c2bfcebbf1d75c8093dc50dd5916f2890

                  • \??\c:\Program Files\Common Files\System\safemonn64.dll

                    Filesize

                    207KB

                    MD5

                    17d94533420151d4f1af7ca6e9652df6

                    SHA1

                    af511753b6082a04aded94d1ba1aca037559f698

                    SHA256

                    e7553b6931998d2d4359162bae14054830f8f69be9d2de3f445158d5caa113b9

                    SHA512

                    8d4d4d0c71a432c326305a20cb6b9362815f6cd7cc7328ac632ecdc233f335d1119039b1cadef78d10ae40ebc1ab75c8e93b45cb34265a1ab53f3efdc775ce76

                  • memory/292-733-0x0000000002640000-0x000000000267D000-memory.dmp

                    Filesize

                    244KB

                  • memory/292-738-0x00000000374E0000-0x00000000374F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/292-878-0x00000000052E0000-0x00000000053FB000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/860-314-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/860-316-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/860-322-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/860-312-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/860-310-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/860-308-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/860-317-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/860-321-0x0000000000400000-0x000000000040C000-memory.dmp

                    Filesize

                    48KB

                  • memory/888-2567-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/888-26-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/888-28-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/888-27-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/888-2406-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/888-2407-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/888-2568-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB

                  • memory/988-979-0x0000000000400000-0x0000000000430000-memory.dmp

                    Filesize

                    192KB

                  • memory/1132-86-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                  • memory/1132-958-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                  • memory/1676-2623-0x0000000000080000-0x00000000000B0000-memory.dmp

                    Filesize

                    192KB

                  • memory/1736-46-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                  • memory/1736-82-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                  • memory/1860-898-0x0000000002220000-0x000000000225D000-memory.dmp

                    Filesize

                    244KB

                  • memory/1860-903-0x00000000374E0000-0x00000000374F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1860-927-0x00000000052E0000-0x00000000053FB000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2568-2786-0x00000000001B0000-0x000000000021A000-memory.dmp

                    Filesize

                    424KB

                  • memory/2644-59-0x0000000000860000-0x0000000000A81000-memory.dmp

                    Filesize

                    2.1MB

                  • memory/2644-148-0x0000000000860000-0x0000000000A81000-memory.dmp

                    Filesize

                    2.1MB

                  • memory/2672-675-0x0000000006130000-0x000000000624B000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2672-208-0x0000000002670000-0x00000000026AD000-memory.dmp

                    Filesize

                    244KB

                  • memory/2672-213-0x00000000374E0000-0x00000000374F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2704-120-0x0000000000400000-0x00000000004A0000-memory.dmp

                    Filesize

                    640KB

                  • memory/2704-122-0x0000000000400000-0x00000000004A0000-memory.dmp

                    Filesize

                    640KB

                  • memory/2704-58-0x0000000000400000-0x00000000004A0000-memory.dmp

                    Filesize

                    640KB

                  • memory/2792-960-0x0000000000510000-0x000000000051C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2792-62-0x0000000001330000-0x0000000001390000-memory.dmp

                    Filesize

                    384KB

                  • memory/2792-65-0x0000000000470000-0x0000000000490000-memory.dmp

                    Filesize

                    128KB

                  • memory/2824-156-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2824-923-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2824-921-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2824-158-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2824-157-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2824-155-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2836-66-0x0000000000310000-0x000000000032C000-memory.dmp

                    Filesize

                    112KB

                  • memory/2836-64-0x0000000000F10000-0x0000000000F7A000-memory.dmp

                    Filesize

                    424KB

                  • memory/2836-959-0x00000000009A0000-0x00000000009AC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2960-1733-0x00000000011C0000-0x000000000122A000-memory.dmp

                    Filesize

                    424KB

                  • memory/2964-72-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2964-69-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2964-71-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2964-83-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2964-74-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/2964-70-0x0000000000400000-0x0000000000608000-memory.dmp

                    Filesize

                    2.0MB

                  • memory/3704-2954-0x0000000001000000-0x000000000106A000-memory.dmp

                    Filesize

                    424KB