Ransom_Ryzerlo.R002C0DI919
Ransom:MSIL/Ryzerlo.A (Microsoft); GenericRXGT-RC!DB7A667FE198 (McAfee); HEUR:Trojan-Spy.MSIL.KeyLogger.gen (Kaspersky); Mal/Bladabi-S (Sophos)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
301,056 bytes
EXE
Yes
05 Nov 2019
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops the following copies of itself into the affected system:
- F:\NViDiaDisplay.Container.exe
It adds the following processes:
- %User Temp%\svchosts.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It creates the following folders:
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1
- %AppDataLocal%\Microsoft_Corporation
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
Autostart Technique
This Ransomware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
40f1abfeb160a5f5393e777877aaa6e4 = "{malware path and file name}.exe"
Dropping Routine
This Ransomware drops the following files:
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\792dkelm.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s6rwpsqj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cvawit4n.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ivb59qpj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i37wwzbt.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\r5zghbhu.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xn67vuna.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s1z1fb5o.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cuucm3vg.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\luefvb9d.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ubbwsp0b.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\aqubkjdy.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3jehf0c7.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bl8ng7h0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\begphhw1.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\begphhw1.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zh9vd2vw.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q0r_q0qz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nj5kjiwv.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nz6cqqd2.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\spc5e41g.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pze1crjj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uypimi3x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3spep7yy.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\guqceam0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hwtusg2e.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\8kirkab6.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u5wvz4pi.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cvawit4n.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jyma5vx2.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u570a8dk.newcfg
- %User Temp%\svchosts.exe
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qkn9xz45.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\blgppb_b.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\mprhlebm.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q-q3dvnq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ielj_kla.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q0r_q0qz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i5l8cbzf.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\remz6xeq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s6rwpsqj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\rnuclw26.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xvkbjw_r.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\4r_popfd.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hftuuaqq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3jehf0c7.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jyma5vx2.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\792dkelm.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q44kyooy.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\haqhg50g.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u570a8dk.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nz6cqqd2.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uizcvsd0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n2jhhh6x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ku2c_f1c.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uypimi3x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\remz6xeq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hwtusg2e.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\yutkop6x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\0jcsswq3.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pze1crjj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\4r_popfd.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ueqnazbp.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qm-hxhue.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qkn9xz45.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pbt3mc09.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jcqd08jz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dbxfrmde.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\fxhgnzgk.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qn3vx57i.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zh9vd2vw.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\lsxscllz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6jofqiq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s1z1fb5o.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i37wwzbt.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\fxhgnzgk.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jcqd08jz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\gtbxiiuv.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\izw6e6l6.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dxe_ih-r.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uizcvsd0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vjncypwb.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\6mqlkgks.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n8jf7xth.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\haqhg50g.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\luefvb9d.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\np2pgkhn.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ivb59qpj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vgccaqkp.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hvgj52km.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ewbejxka.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hlhh4gn0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ob7soixw.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\_uhm7ucu.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\user.config
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\guqceam0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\yutkop6x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\z6mxii05.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q-q3dvnq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\_uhm7ucu.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\8kirkab6.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\6mqlkgks.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\b1wjffrq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\0jcsswq3.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\kksaa5ws.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q44kyooy.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\np2pgkhn.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\lsxscllz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u5wvz4pi.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ubbwsp0b.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ob7soixw.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xn67vuna.newcfg
- F:\wlines.zip.lnk
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\b1wjffrq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bghy7kjh.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ielj_kla.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\7ecydwit.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vgccaqkp.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\v_jmxfte.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ku2c_f1c.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_yo1fbv.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vjncypwb.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i0j-odki.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nj5kjiwv.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ueqnazbp.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\khosfuvg.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\5-e_tfue.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6jofqiq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\neeepgyj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bghy7kjh.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\khosfuvg.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\izw6e6l6.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\frpjeqcz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\kksaa5ws.tmp
- F:\mail_client.exe.lnk
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\aqubkjdy.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xvkbjw_r.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6pzq2kh.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ntevyuuu.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ea6cmnjr.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\gtbxiiuv.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\r5zghbhu.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zkg4uf1x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dbxfrmde.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ewbejxka.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zf1gnsqo.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hvgj52km.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jl-lymdb.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n2jhhh6x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\-cj1n5mj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qm-hxhue.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qn3vx57i.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\5-e_tfue.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\rnuclw26.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nvla_sie.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_b1yc3m.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\neeepgyj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\frpjeqcz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bl8ng7h0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\swef_2jc.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ea6cmnjr.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n8jf7xth.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nvla_sie.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\z6mxii05.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ntevyuuu.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\blgppb_b.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i5l8cbzf.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3spep7yy.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hftuuaqq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6pzq2kh.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_yo1fbv.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zf1gnsqo.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zzxepzhw.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cuucm3vg.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i0j-odki.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\spc5e41g.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zkg4uf1x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\mprhlebm.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jl-lymdb.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hlhh4gn0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_b1yc3m.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\v_jmxfte.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zzxepzhw.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\-cj1n5mj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\7ecydwit.newcfg
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pbt3mc09.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dxe_ih-r.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\swef_2jc.tmp
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
Other Details
This Ransomware connects to the following possibly malicious URL:
- http://njratvirus.{BLOCKED}o.org
This report is generated via an automated analysis system.
SOLUTION
9.850
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Identify and terminate files detected as Ransom_Ryzerlo.R002C0DI919
- Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- 40f1abfeb160a5f5393e777877aaa6e4 = "{malware path and file name}.exe"
Step 5
Search and delete these components
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\792dkelm.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s6rwpsqj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cvawit4n.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ivb59qpj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i37wwzbt.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\r5zghbhu.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xn67vuna.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s1z1fb5o.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cuucm3vg.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\luefvb9d.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ubbwsp0b.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\aqubkjdy.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3jehf0c7.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bl8ng7h0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\begphhw1.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\begphhw1.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zh9vd2vw.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q0r_q0qz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nj5kjiwv.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nz6cqqd2.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\spc5e41g.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pze1crjj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uypimi3x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3spep7yy.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\guqceam0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hwtusg2e.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\8kirkab6.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u5wvz4pi.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cvawit4n.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jyma5vx2.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u570a8dk.newcfg
- %User Temp%\svchosts.exe
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qkn9xz45.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\blgppb_b.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\mprhlebm.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q-q3dvnq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ielj_kla.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q0r_q0qz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i5l8cbzf.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\remz6xeq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s6rwpsqj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\rnuclw26.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xvkbjw_r.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\4r_popfd.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hftuuaqq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3jehf0c7.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jyma5vx2.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\792dkelm.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q44kyooy.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\haqhg50g.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u570a8dk.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nz6cqqd2.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uizcvsd0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n2jhhh6x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ku2c_f1c.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uypimi3x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\remz6xeq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hwtusg2e.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\yutkop6x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\0jcsswq3.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pze1crjj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\4r_popfd.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ueqnazbp.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qm-hxhue.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qkn9xz45.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pbt3mc09.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jcqd08jz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dbxfrmde.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\fxhgnzgk.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qn3vx57i.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zh9vd2vw.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\lsxscllz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6jofqiq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\s1z1fb5o.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i37wwzbt.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\fxhgnzgk.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jcqd08jz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\gtbxiiuv.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\izw6e6l6.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dxe_ih-r.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\uizcvsd0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vjncypwb.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\6mqlkgks.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n8jf7xth.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\haqhg50g.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\luefvb9d.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\np2pgkhn.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ivb59qpj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vgccaqkp.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hvgj52km.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ewbejxka.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hlhh4gn0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ob7soixw.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\_uhm7ucu.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\user.config
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\guqceam0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\yutkop6x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\z6mxii05.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q-q3dvnq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\_uhm7ucu.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\8kirkab6.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\6mqlkgks.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\b1wjffrq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\0jcsswq3.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\kksaa5ws.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\q44kyooy.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\np2pgkhn.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\lsxscllz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\u5wvz4pi.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ubbwsp0b.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ob7soixw.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xn67vuna.newcfg
- F:\wlines.zip.lnk
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\b1wjffrq.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bghy7kjh.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ielj_kla.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\7ecydwit.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vgccaqkp.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\v_jmxfte.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ku2c_f1c.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_yo1fbv.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\vjncypwb.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i0j-odki.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nj5kjiwv.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ueqnazbp.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\khosfuvg.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\5-e_tfue.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6jofqiq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\neeepgyj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bghy7kjh.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\khosfuvg.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\izw6e6l6.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\frpjeqcz.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\kksaa5ws.tmp
- F:\mail_client.exe.lnk
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\aqubkjdy.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\xvkbjw_r.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6pzq2kh.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ntevyuuu.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ea6cmnjr.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\gtbxiiuv.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\r5zghbhu.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zkg4uf1x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dbxfrmde.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ewbejxka.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zf1gnsqo.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hvgj52km.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jl-lymdb.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n2jhhh6x.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\-cj1n5mj.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qm-hxhue.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\qn3vx57i.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\5-e_tfue.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\rnuclw26.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nvla_sie.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_b1yc3m.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\neeepgyj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\frpjeqcz.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\bl8ng7h0.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\swef_2jc.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ea6cmnjr.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n8jf7xth.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\nvla_sie.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\z6mxii05.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\ntevyuuu.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\blgppb_b.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i5l8cbzf.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\3spep7yy.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hftuuaqq.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\y6pzq2kh.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_yo1fbv.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zf1gnsqo.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zzxepzhw.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\cuucm3vg.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\i0j-odki.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\spc5e41g.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zkg4uf1x.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\mprhlebm.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\jl-lymdb.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\hlhh4gn0.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\n_b1yc3m.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\v_jmxfte.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\zzxepzhw.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\-cj1n5mj.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\7ecydwit.newcfg
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\pbt3mc09.tmp
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\dxe_ih-r.newcfg
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1\swef_2jc.tmp
Step 6
Search and delete these folders
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj\10.0.17134.1
- %AppDataLocal%\Microsoft_Corporation
- %AppDataLocal%\Microsoft_Corporation\34f8302c2288f7ef2d54aed4f_Url_1erc2dx1twfjhzmoedmr2nza2uuvkasj
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as Ransom_Ryzerlo.R002C0DI919. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 8
Restore encrypted files from backup.
Did this description help? Tell us how we did.