Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
Source: C:\Users\user\Desktop\p2h.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://bot.whatismyipaddress.com |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4 |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://checkip.dyndns.org |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://corz.org/ip |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0 |
Source: p2h.exe, 00000000.00000003.918284526.000000003C3F2000.00000004.00000001.sdmp | String found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl |
Source: p2h.exe, 00000000.00000003.918284526.000000003C3F2000.00000004.00000001.sdmp | String found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d |
Source: p2h.exe, 00000000.00000003.833206566.000000003A0E0000.00000004.00000001.sdmp | String found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/ |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://icanhazip.com |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://ip.appspot.com |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://ip.eprci.net/text |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://ip.jsontest.com/ |
Source: p2h.exe, 00000000.00000003.833215162.000000003A0E3000.00000004.00000001.sdmp | String found in binary or memory: http://mozilla.org/MPL/2.0/. |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.thawte.com0 |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://opensource.org/licenses/bsd-license.php |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://s2.symcb.com0 |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://services.packetizer.com/ipaddress/?f=text |
Source: p2h.exe, 00000000.00000003.833233121.000000003A0F2000.00000004.00000001.sdmp, p2h.exe, 00000000.00000003.832988343.000000003A04F000.00000004.00000001.sdmp | String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://sv.symcb.com/sv.crl0W |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://sv.symcd.com0& |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://th.symcb.com/th.crl0 |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://th.symcb.com/th.crt0 |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://th.symcd.com0& |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://whatthehellismyip.com/?ipraw |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://wtfismyip.com/text |
Source: p2h.exe, 00000000.00000003.1315206008.000000004FD92000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoit.de/index.php?page=Thread&postID=48393 |
Source: p2h.exe, 00000000.00000003.1187273056.000000004FB63000.00000004.00000001.sdmp | String found in binary or memory: http://www.bearcave.com/random_hacks/permute.html |
Source: p2h.exe, 00000000.00000003.1163172906.000000004FB00000.00000004.00000001.sdmp | String found in binary or memory: http://www.easyrgb.com/math.php?MATH=M19#text19 |
Source: p2h.exe, 00000000.00000003.823608089.000000003C35F000.00000004.00000001.sdmp | String found in binary or memory: http://www.google.com/ |
Source: p2h.exe, 00000000.00000003.833215162.000000003A0E3000.00000004.00000001.sdmp | String found in binary or memory: http://www.linuxnet.com |
Source: p2h.exe, 00000000.00000003.826957316.000000003A16A000.00000004.00000001.sdmp | String found in binary or memory: http://www.live.com/ |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://www.myexternalip.com/raw |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://www.networksecuritytoolkit.org/nst/tools/ip.php |
Source: p2h.exe, 00000000.00000003.833206566.000000003A0E0000.00000004.00000001.sdmp | String found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/ |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://www.symauth.com/cps0( |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: p2h.exe, 00000000.00000003.833233121.000000003A0F2000.00000004.00000001.sdmp, p2h.exe, 00000000.00000003.832988343.000000003A04F000.00000004.00000001.sdmp | String found in binary or memory: http://www.tagvault.org/tv_extensions.xsd |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://www.telize.com/ip |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: http://www.trackip.net/ip |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://www.unicode.org/Public/ |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://www.unicode.org/Public/. |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://www.unicode.org/cldr/data/. |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://www.unicode.org/copyright.html. |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: http://www.unicode.org/reports/ |
Source: p2h.exe, 00000000.00000003.834575319.000000003C375000.00000004.00000001.sdmp | String found in binary or memory: http://www.wikipedia.com/ |
Source: p2h.exe, 00000000.00000003.825900969.000000003A15C000.00000004.00000001.sdmp | String found in binary or memory: http://www.youtube.com/ |
Source: p2h.exe, 00000000.00000003.1060319542.000000004F992000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: https://d.symcb.com/cps0% |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: p2h.exe, 00000000.00000003.835666037.000000003C315000.00000004.00000001.sdmp | String found in binary or memory: https://sourceforge.net/project/?group_id=1519 |
Source: A5F447-Readme.txt.0.dr | String found in binary or memory: https://torproject.org/ |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/appendix/SendKeys.htm#KeysList |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/functions/ |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/intro/au3check.htm |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords.htm |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords/ |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/keywords/comments-start.htm |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/libfunctions/_ |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/docs/macros.htm# |
Source: p2h.exe, 00000000.00000003.958967592.000000003C4A5000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/autoit3/scite/docs/AutoIt3Wrapper.html |
Source: p2h.exe, 00000000.00000003.1271532915.000000004FC20000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/forum/topic/50254-powerpoint-wrapper |
Source: p2h.exe, 00000000.00000003.963873803.000000004F5F2000.00000004.00000001.sdmp | String found in binary or memory: https://www.autoitscript.com/trac/autoit/ticket/3585 |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: https://www.thawte.com/cps0/ |
Source: p2h.exe, 00000000.00000003.907119568.000000003C15A000.00000004.00000001.sdmp | String found in binary or memory: https://www.thawte.com/repository0W |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | |
Source: C:\Users\user\Desktop\p2h.exe | Process created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | Jump to behavior |
Source: p2h.exe, 00000000.00000003.772434472.0000000000E49000.00000004.00000001.sdmp | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\Prog | |
Source: p2h.exe, 00000000.00000003.770463328.0000000000220000.00000004.00000001.sdmp | Binary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quietg | |
Source: p2h.exe, 00000000.00000003.770463328.0000000000220000.00000004.00000001.sdmp | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=UMMBDNEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsg | |
Source: p2h.exe, 00000000.00000003.771892061.0000000000E49000.00000004.00000001.sdmp | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=UMMBDNEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows | |
Source: vssadmin.exe, 00000002.00000002.780739828.000002C470135000.00000004.00000040.sdmp | Binary or memory string: C:\Windows\system32\vssadmin.exedeleteshadows/all/quiet | |
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete ShadowStorage | |
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C: | |
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp | Binary or memory string: vssadmin Delete Shadows | |
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest | |
Source: vssadmin.exe, 00000002.00000002.780602423.000002C46FE70000.00000002.00000001.sdmp | Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D: | |
Source: vssadmin.exe, 00000002.00000002.780628594.000002C46FEF0000.00000004.00000020.sdmp | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\vssadmin.exeWinSta0\Default | |
Source: vssadmin.exe, 00000002.00000002.780628594.000002C46FEF0000.00000004.00000020.sdmp | Binary or memory string: C:\Windows\system32\vssadmin.exe delete shadows /all /quiet | |
Source: C:\Users\user\Desktop\p2h.exe | File dropped: C:\ProgramData\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd | Jump to dropped file |
Source: C:\Users\user\Desktop\p2h.exe | File dropped: C:\Program Files (x86)\Free Window Registry Repair\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd | Jump to dropped file |
Source: C:\Users\user\Desktop\p2h.exe | File dropped: C:\Program Files (x86)\AutoIt3\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd | Jump to dropped file |
Source: C:\Users\user\Desktop\p2h.exe | File dropped: C:\Program Files (x86)\Microsoft Office\A5F447-Readme.txt -> decrypter program.do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover.for us this is just business and to prove to you our seriousness, we will decrypt you one file for free.just open our website, upload the encrypted file and get the decrypted file for free.additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog.--steps to get access on our website:1.download and install tor-browser: https://torproject.org/2.open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onionif the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion3.put your personal code in the input form:{code_a5f447:3pslnnh3deakce47x8zi74gg8lcchhmmh+9yetghfwsalzzulcti0qzwr/kmgsis6iv/flfucrlkhhlpdeowpfqj+da3yhw11iesftuzc7edlh5ep3pa7of3tmpgrjabxgkvbrxuuc2o/jl/3m+cosvmzd/qaofscg3slsrd | Jump to dropped file |