MD5: 49e624aec70f30696be4a016cbe61aa3
Reference: https://twitter.com/VK_Intel/status/1155923795674316801


b'shell32.dll'
b'ntdll.dll'
b'shlwapi.dll'
b'advapi32.dll'
b'B64'
b'svchost.exe'
b'cmdvrt32.dll'
b'vmcheck.dll'
b'dbghelp.dll'
b'wpespy.dll'
b'api_log.dll'
b'SbieDll.dll'
b'SxIn.dll'
b'dir_watch.dll'
b'Sf2.dll'
b'pstorec.dll'
b'snxhk.dll'
b'MSEDGE'
b'IEUser'
b'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\'
b'ProductName'
b'Evaluation'
b'SOFTWARE\\Microsoft\\Virtual Machine'
b'{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
b'{6EDD6D74-C007-4E75-B76A-E5740995E24C}'
b'explorer.exe'
b'/C Start'
b'ole32.dll'
b'wtsapi32'
b'WTSEnumerateSessionsA'
b'WTSFreeMemory'
b'WTSGetActiveConsoleSessionId'
b'WTSQueryUserToken'
b'SeTcbPrivilege'
b'Elevation:Administrator!new:'
b'.log'
b'client_id'
b'%d%d%d.'
b'user32.dll'
b'CLSIDFromString'
b'IIDFromString'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\ssp.exe'
b'cmd.exe'
b'/c net stop SAVService'
b'/c net stop SAVAdminService'
b'/c net stop Sophos AutoUpdate Service'
b'/c net stop SophosDataRecorderService'
b'/c net stop Sophos MCS Agent'
b'/c net stop Sophos MCS Client'
b'/c net stop sophossps'
b'/c net stop Sntp Service'
b'/c net stop Sophos Web Control Service'
b'/c net stop swi_service'
b'/c net stop swi_update_64'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\1.exe'
b'C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'
b'/c sc stop WinDefend'
b'/c sc delete WinDefend'
b'DisableBehaviorMonitoring'
b'DisableOnAccessProtection'
b'DisableScanOnRealtimeEnable'
b'/c powershell Set-MpPreference '
b'SOFTWARE\\Policies\\Microsoft\\Windows Defender'
b'DisableAntiSpyware'
b'SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection'
b'DisableIOAVProtection'
b'-DisableRealtimeMonitoring $true'
b'data'
b'-DisableBehaviorMonitoring $true'
b'MBAMService'
b'SAVService'
b'SavService.exe'
b'ALMon.exe'
b'SophosFS.exe'
b'ALsvc.exe'
b'Clean.exe'
b'SAVAdminService.exe'
b'SavService.exe'
b'ALMon.exe'
b'/c sc stop SAVService'
b'/c sc delete SAVService'
b'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
b'Debugger'
b'kakugulykau'
b'-DisableBlockAtFirstSeen $true'
b'-DisableIOAVProtection $true'
b'-DisablePrivacyMode $true'
b'-DisableIntrusionPreventionSystem $true'
b'-SevereThreatDefaultAction 6'
b'-LowThreatDefaultAction 6'
b'-ModerateThreatDefaultAction 6'
b'-DisableScriptScanning $true'
b'KERNEL32.dll'