Resubmissions
22-05-2024 15:54
240522-tca45sgd54 1022-05-2024 15:32
240522-syx1csfh7z 1019-05-2024 21:56
240519-1tcgvsca5s 1019-05-2024 21:54
240519-1sln5sbh9x 1019-05-2024 21:53
240519-1rn3wabh6x 1019-05-2024 20:56
240519-zq5hsshf3v 1018-05-2024 09:15
240518-k76pvsda89 1018-05-2024 00:54
240518-a9ph9acb22 10Analysis
-
max time kernel
1049s -
max time network
872s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-05-2024 21:56
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
ByteVaultX 2.0.exe
Resource
win11-20240508-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
98e3408a9432d5046691c4cc744eb244
-
SHA1
c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142
-
SHA256
958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2
-
SHA512
dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5
-
SSDEEP
196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Renames multiple (123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeflow pid process 3 628 powershell.exe 5 1952 powershell.exe 6 3536 powershell.exe 7 4984 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 15 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 1812 netsh.exe 3420 netsh.exe 4592 netsh.exe 68 netsh.exe 4264 netsh.exe 1868 netsh.exe 4084 netsh.exe 4716 netsh.exe 624 netsh.exe 2588 netsh.exe 2928 netsh.exe 2600 netsh.exe 4188 netsh.exe 3860 netsh.exe 2260 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ByteVaultX 2.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation ByteVaultX 2.0.exe -
Loads dropped DLL 12 IoCs
Processes:
ByteVaultX 2.0.exepid process 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe 552 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
ByteVaultX 2.0.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1032 powershell.exe 4540 powershell.exe 1812 powershell.exe 3204 powershell.exe 1944 powershell.exe 4948 powershell.exe 4148 powershell.exe 3856 powershell.exe 3088 powershell.exe 4688 powershell.exe 372 powershell.exe 3204 powershell.exe 2088 powershell.exe 4984 powershell.exe 1004 powershell.exe 2340 powershell.exe 4680 powershell.exe 224 powershell.exe 5012 powershell.exe 4732 powershell.exe 68 powershell.exe 2540 powershell.exe 3536 powershell.exe 2196 powershell.exe 1952 powershell.exe 1964 powershell.exe 3856 powershell.exe 3548 powershell.exe 1868 powershell.exe 4648 powershell.exe 4432 powershell.exe 628 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe -
Drops file in Windows directory 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e25bcf7637aada01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "422317900" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{5E650C74-DB9B-4D44-A7AC-E45F194C8C13} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "422999285" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "422947428" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 041f006437aada01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 905bdc6337aada01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f0d6cc7637aada01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "422983373" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000e0140cec22e02db0424a8fbfb5a746b0a0bbfdaad6fbf0973fc7bd2e0dc19332a8bfcceac9ffa0e16c8b961ef063c509a01ef80e854cfde2f5be MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 96581a6437aada01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 3856 powershell.exe 3856 powershell.exe 3856 powershell.exe 3856 powershell.exe 1812 powershell.exe 1812 powershell.exe 1812 powershell.exe 1812 powershell.exe 3204 powershell.exe 3204 powershell.exe 3204 powershell.exe 3204 powershell.exe 2196 powershell.exe 2196 powershell.exe 2196 powershell.exe 2196 powershell.exe 4648 powershell.exe 4648 powershell.exe 4648 powershell.exe 4648 powershell.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 2340 powershell.exe 2340 powershell.exe 2340 powershell.exe 2340 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 3088 powershell.exe 3088 powershell.exe 3088 powershell.exe 3088 powershell.exe 4688 powershell.exe 4688 powershell.exe 4688 powershell.exe 4688 powershell.exe 3856 powershell.exe 3856 powershell.exe 3856 powershell.exe 3856 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1032 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 4732 powershell.exe 4732 powershell.exe 4732 powershell.exe 4732 powershell.exe 224 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MicrosoftEdgeCP.exepid process 4440 MicrosoftEdgeCP.exe 4440 MicrosoftEdgeCP.exe 4440 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exedescription pid process Token: SeDebugPrivilege 5012 powershell.exe Token: SeIncreaseQuotaPrivilege 5012 powershell.exe Token: SeSecurityPrivilege 5012 powershell.exe Token: SeTakeOwnershipPrivilege 5012 powershell.exe Token: SeLoadDriverPrivilege 5012 powershell.exe Token: SeSystemProfilePrivilege 5012 powershell.exe Token: SeSystemtimePrivilege 5012 powershell.exe Token: SeProfSingleProcessPrivilege 5012 powershell.exe Token: SeIncBasePriorityPrivilege 5012 powershell.exe Token: SeCreatePagefilePrivilege 5012 powershell.exe Token: SeBackupPrivilege 5012 powershell.exe Token: SeRestorePrivilege 5012 powershell.exe Token: SeShutdownPrivilege 5012 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeSystemEnvironmentPrivilege 5012 powershell.exe Token: SeRemoteShutdownPrivilege 5012 powershell.exe Token: SeUndockPrivilege 5012 powershell.exe Token: SeManageVolumePrivilege 5012 powershell.exe Token: 33 5012 powershell.exe Token: 34 5012 powershell.exe Token: 35 5012 powershell.exe Token: 36 5012 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeDebugPrivilege 2780 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2780 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2780 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2780 MicrosoftEdgeCP.exe Token: SeIncreaseQuotaPrivilege 3856 powershell.exe Token: SeSecurityPrivilege 3856 powershell.exe Token: SeTakeOwnershipPrivilege 3856 powershell.exe Token: SeLoadDriverPrivilege 3856 powershell.exe Token: SeSystemProfilePrivilege 3856 powershell.exe Token: SeSystemtimePrivilege 3856 powershell.exe Token: SeProfSingleProcessPrivilege 3856 powershell.exe Token: SeIncBasePriorityPrivilege 3856 powershell.exe Token: SeCreatePagefilePrivilege 3856 powershell.exe Token: SeBackupPrivilege 3856 powershell.exe Token: SeRestorePrivilege 3856 powershell.exe Token: SeShutdownPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeSystemEnvironmentPrivilege 3856 powershell.exe Token: SeRemoteShutdownPrivilege 3856 powershell.exe Token: SeUndockPrivilege 3856 powershell.exe Token: SeManageVolumePrivilege 3856 powershell.exe Token: 33 3856 powershell.exe Token: 34 3856 powershell.exe Token: 35 3856 powershell.exe Token: 36 3856 powershell.exe Token: SeDebugPrivilege 3564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3564 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeIncreaseQuotaPrivilege 1812 powershell.exe Token: SeSecurityPrivilege 1812 powershell.exe Token: SeTakeOwnershipPrivilege 1812 powershell.exe Token: SeLoadDriverPrivilege 1812 powershell.exe Token: SeSystemProfilePrivilege 1812 powershell.exe Token: SeSystemtimePrivilege 1812 powershell.exe Token: SeProfSingleProcessPrivilege 1812 powershell.exe Token: SeIncBasePriorityPrivilege 1812 powershell.exe Token: SeCreatePagefilePrivilege 1812 powershell.exe Token: SeBackupPrivilege 1812 powershell.exe Token: SeRestorePrivilege 1812 powershell.exe Token: SeShutdownPrivilege 1812 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 832 MicrosoftEdge.exe 4440 MicrosoftEdgeCP.exe 2780 MicrosoftEdgeCP.exe 4440 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ByteVaultX 2.0.exeByteVaultX 2.0.execmd.exeMicrosoftEdgeCP.exepowershell.exedescription pid process target process PID 1388 wrote to memory of 552 1388 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 1388 wrote to memory of 552 1388 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 552 wrote to memory of 5012 552 ByteVaultX 2.0.exe powershell.exe PID 552 wrote to memory of 5012 552 ByteVaultX 2.0.exe powershell.exe PID 552 wrote to memory of 1812 552 ByteVaultX 2.0.exe powershell.exe PID 552 wrote to memory of 1812 552 ByteVaultX 2.0.exe powershell.exe PID 552 wrote to memory of 4196 552 ByteVaultX 2.0.exe runas.exe PID 552 wrote to memory of 4196 552 ByteVaultX 2.0.exe runas.exe PID 552 wrote to memory of 1368 552 ByteVaultX 2.0.exe cmd.exe PID 552 wrote to memory of 1368 552 ByteVaultX 2.0.exe cmd.exe PID 1368 wrote to memory of 3420 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 3420 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 4184 1368 cmd.exe reg.exe PID 1368 wrote to memory of 4184 1368 cmd.exe reg.exe PID 1368 wrote to memory of 3876 1368 cmd.exe reg.exe PID 1368 wrote to memory of 3876 1368 cmd.exe reg.exe PID 1368 wrote to memory of 3692 1368 cmd.exe reg.exe PID 1368 wrote to memory of 3692 1368 cmd.exe reg.exe PID 1368 wrote to memory of 3856 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3856 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 1812 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 1812 1368 cmd.exe powershell.exe PID 4440 wrote to memory of 3564 4440 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4440 wrote to memory of 3564 4440 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4440 wrote to memory of 3564 4440 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4440 wrote to memory of 3564 4440 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1368 wrote to memory of 3204 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3204 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 2196 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 2196 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 4648 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 4648 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 2588 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 2588 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 2928 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 2928 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 3420 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 3420 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 2600 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 2600 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 1868 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 1868 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 4084 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 4084 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 4716 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 4716 1368 cmd.exe netsh.exe PID 1368 wrote to memory of 4680 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 4680 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 2340 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 2340 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3548 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3548 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3088 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3088 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 4688 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 4688 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3856 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 3856 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 628 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 628 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 1032 1368 cmd.exe powershell.exe PID 1368 wrote to memory of 1032 1368 cmd.exe powershell.exe PID 1032 wrote to memory of 3344 1032 powershell.exe cmd.exe PID 1032 wrote to memory of 3344 1032 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Encrypt\encrypt.batFilesize
2KB
MD5d4b8e7c1b0ee37229b53d8d3c7348af0
SHA13467311b4001a759e24b72cf8ec7606219d4c1cc
SHA256f9f88ccdb3900863a2747809a9e4fe3acd4f52387c2b8e47eebe40bcce5d3fe1
SHA512fe5bab00cf03784b34475d5bfdd29bd625d12137f6b3a96afa9435833fef639e33e4e5357c772fac829232cea20a9ebd81435d4621173722d04846ee915e2863
-
C:\Encrypt\encrypt.htmlFilesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58789b605c92fa3c2c0cc43d79ec7275d
SHA1635f447b9c113018bb380bce6922cd7c52567782
SHA25626480747a08ba9b89cb374f25f21dad6064679f59057ccd87035ef20b8b4df8c
SHA512f245647f20a6b51fc7da5e2136ea08a9d98523f41183e061c3f21cc9f44c8c51247eb50be16078097a8ff94a2b010f5bcb59b48b7870b8c643f3e2ecc893565c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51858461e4e9ea22f7369f1de2c110718
SHA15b83f3f7fae00ee04809539263a65e6868539895
SHA2569f32cbc0282feda207bd3d105450e3a9c4e4eb3aedc360ae2aad93bb28664b72
SHA512108662138c1ded7e7e405436eea8d4e36bd9830cc43fc8c85d28ec0b8a69e08a4265bb0258bb7c08da326db1ddf37c8dae05db8710298649a96e3a3cbc1b4c93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bbe821dc9b703775191193c8400e9d28
SHA15253fea34df8dceb2348e75455e26f48757ab9b1
SHA256b1d41b05991b481ea60f97c4c7e6a5d8d9097baa45bd91681d7f3f8542b7a435
SHA512ffc74e71b662a8d30095be67b25c6153fe4b357dff223b3f7ce7221d08364e6695a28452fbaf75f44cfad284d634a11910239aaabe88ab4337d3204fee69ca3b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD555eb308adeec20c0943ea561b1197ce8
SHA1002230c87143208ab0e566efc50c96916a0f0d69
SHA256e07ee0ed7667c4fd708ed2c5ddd3a3a513b8c7162fdec178065ee6eb52e92630
SHA5126d5c3a689581bec494a7f556d48f1788ff68af0b1544411394f5ba2699ac3edd8f252c3c4cbb34ed81d4bccaf6237661c75d82ef315c2892b140aeebbf580822
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a4323dcaa1dc3b5b3c7dcdefeef479ae
SHA1c00c7eb78986fe97801d8b08c0daa1d3afc4367d
SHA256ed64582cde73d7655022cceaf9b7fde407dff28272b3d38e33144363ddfa6a2b
SHA5124aac9f552a84a80c5c988f98accaac25e306d65a315405b7b99db4cf45943c84c2dd3aba4dca936ecfa8753d41119bf7d4c1b3a8c41378a3d3d159551c461976
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50decb8045a04687582b15bae2c5fa960
SHA16776fbb62e310052fb8ec434d03b888a5c6e4254
SHA2561bc7f5ffa4a46d8775c9dd8da74b19ad6ac8be2963ec03eca3717adb7ff39d80
SHA51209ea11351de846bc8f19ed7f80f4f80d1f17b93b52ebada02af60e83875be54ac9d99338d8bb593ed58f29797ba8cc855ed2febe7c0c023eef4b198a3ccbff8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD542a14583acfb387735f6070f205a4913
SHA1d614d4ee0bd8b85ab033a6b40e7adbc650458387
SHA256d967d759f6eeddc1bc563332ab8ee9ab3d7a4381c146211148399973217f0094
SHA512bf3f57851bd2b2ddc57e31d9307d7ab62eb81fe3c1c198a4715d38aa9797ff8accda2a75335197a6c9e5a0075de9eee9594ac8d155c4333dc494e45711b21bfc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d428910b9840cfd35724499f1a73550c
SHA18b8b55444a0ad0ed261dca1588125d6439dfa81a
SHA256eb45a674d57be1790f91e0ff6116160c57766c9b8c69bdd25c0e3349a28c59c0
SHA5121623218a670c43d06c73d029c37d671f78d844c42ed87085795ee924ffab8035663ce923fd532c80521eea307612fa5e58610db47b7e6962034a694d2e7f9421
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d3f8f37c77091dae8bb3c4ff5ca68b76
SHA180132468355ff2505cdc790e76dffe4b6711bf6b
SHA2560a738ffd963bd387a5f59fc3ca643ab53ccdee95083d36c2574af2b3a83c8a45
SHA5125eac4bc9d59de2f434322a681b6abd88fa558a27c4add6b29591f84d48b6057d0eb1485c04299f1f67964695cc082267aadfaa381605b54aa3a5568bc0871790
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ecd55b4d850e10656609e2bb30f484e7
SHA107bc0b805a34e6f2612db32881fc9b104931cace
SHA256ec601461ee08f8e329497b6884861d849025c057931afc4031de61331c31efca
SHA51263eea46a137ebe217fd3bd56b4b58ad016100841e08480ade2ae969c5ff79f80206c5c4dab34e64cdb936f5e588b6386c147f1e246533ee6dc09ad6525fbfe76
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5365fae1ca1aca3f326a2f4ac30c4a630
SHA1589607821ca5839f090eed722b8066b812f56a0f
SHA2561ef7b684c58ed41dad535498d2c59310ecc346d13b38285cce1572fd37552de6
SHA51234b7dc9dcedc6c78120abde3692b0372ec0870cc96c0e648afceaa077656e2666e2e8c42516cf545c64f77099984bfadff9d72875837dafb2b571801600e788e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54c1df5b8f7d7c5f5f5ce08eaab44a15a
SHA1256c89839455f452125c3a1aa7bf999beb52588a
SHA256b0337b954e0affa51646c30a4b15c487f9f1ed46d01620f65c758e34c23d2127
SHA512e5727bae92dad0b246f44b384f357cc66eca57aef7ecf7f5e1e69fdd8989be3019c01b87a6381a416c7cdd0f92b2009f70811286f0ad843d32eb14c422ba0e66
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58f50f72b3093010fecff3c6c8483e572
SHA1b098e3748aa6193222a211962af63684c31b3566
SHA25682ea8ebd21af5e5dbeb9084f3506f4c61e5bc1c4773978170af84cb87a8be4aa
SHA512cbfb62ef0e6d4727a81ff24f3b9c822e154dd8427d0f07bc4f250ac3d6f58b22ba5946c87618bf059c310614028e8d1d471d8567f70ef2284fd4d197bc70d07a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aca8bbafe25d2152881987234513632e
SHA1403e13ce73ce8f9f0b8e4fdada960fd275c4d85a
SHA2567aefd359580669151e4233cc8ee2742e6544ac05f9beb86e5d5ea0f27ac60e66
SHA512541e33f630a96ad13acf73646f762ecd82322ec70a81cc74677ac5cf7d485a606bb10f23246f4edb9e7ba18e7b5b3c7edf9d2a5298c57cc74017dea1e0d21664
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59bf0cb83b8387bff14d7353243468198
SHA1542afb58c616efb2f46bf94fd113c7a089470b77
SHA2568687c9e9d7afa540764c4a6a4462bf2644914fda003f54295200b99170a22f0e
SHA5126b1a3091f2068f8bfa0744860c7bfe0760855026e8b03091e5c673b19528c51664b5553570b89a54770c634ecf0fd4267c0e5618e272ecd75ecbc96e4aad272f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fdf59d3137ad369d6e612a3a0d4fd592
SHA164d6daa3d27655458a3bcc6debaeb1a0fae94490
SHA256557c4bbd33621837c5f36592e1ddc92773cb3301a3dd19c03fc4e7ffe1cb13d0
SHA512199b9dcd22d4c1f6718d23b851a48265d5249b4cc17f12c869cd173101877765ee41558c2f82636138e641bfe56f76788963644510e1c64e467c97de3ea03d07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5557c66124540f10448437fdb4ff930c9
SHA1123606c68c17afd8f2f26a383c1ef593ebaf3450
SHA256b56cfa08f0266977e910a2631e0e9f8759cdcad9730c2a1e62f052a478852f1e
SHA5127f04cf51026aafad9d50c15814f69c9496b21e5178ce163c6ef5b473c73472352b6e0f6f9129c355321ba588f4085bf6c1b256ab8d8518ad54207da069c1f563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c105f1ae603ae3ff538cc1c6e1268a25
SHA1eebcfbb36addf8f001300f9c6d7e7c4054c63488
SHA256afa03d0c3298e44778f91451b8799acdc2b2646f2ea79485da3e35ec38b0f7bf
SHA512cc549f1949f34b6c37b4c056dcc572ea983d9f21d6038353acb38766ad04370109057234030f1c610ced5d9f16e63b6cbd9613b6b5c22f13d0f12af3efdb8da7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5cd46ba401c6858a457d2185179a0a0ac
SHA1d6aef58577b6d69de1836596886c125a0de61f02
SHA256d9da51b10c2d5c02cc5d4fb597b63bf6694a2f7ff9525297ace340a3c4f7c25e
SHA512995a9015dd5c5019d20c5ea359f3571b087dfff6d090594aa478f0e8d824b5ee1a675e0a0b562e3e8924cadee2317844993f71e6f7b031d3c610a9cab208e6ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5abf6b7c7cc792b7d7d944987e4c1876c
SHA13163eebcefdf64b266a63f0ed6fc65baa3ad9a8e
SHA2564c3d755fe27b7a7a848b154dab13cb594341023dd95c1b296c1238d7a41f792a
SHA512a5547161896efa5067d45e49907eb195fc689c3e68e89e32905e82a4646ab775092d5ea28d81acfa2af4dc9e4d9369569376b63ee666fd63b8814f5a8916a8be
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57fd0e39a0a4f5e7577bdafaa4ffdfbb2
SHA1f37ca6eb8d170b6f79e4ddb13cb7672e06586686
SHA2568b8bf01efb0da70464a2dc8e9663fd0377a00188efeea1b000dffd03c60b3c73
SHA512a8a0ab99d4bae5452c303c9c29a7ed3485b812402fa389ce831ab5f1d13430816055fe48dffdf10de1ea8742b86162148ba4132570a3370212a4aa77f92c5514
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59cd9809d739f5a75090368788ce5a8c5
SHA18c3c67bc1b3af9a21b95c9ba76654856ae8e0cb4
SHA25632ec0686eb5e6b43a5f8f60c5d5a9e66fa78a35c49b49a8200a4eadb28c4c05a
SHA5129d11db85890cfaea6c281506b247063970e8458445aafc927e1f70489cb5ca249d5dbc24199f037b7930212f4d4604980c3d531b070363a5426cd0ee6bdd02a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD581989cb8439404da34efcc884c115bac
SHA14416d1b67808c4773a68bd9f37867c094237f486
SHA25676b9e510bfb1ffaa61ad56c7c28d84fa9206f6927402265f52e345b36031ec19
SHA512baad73dfb088ffeca084d41ffe6274577e31a5fa8dfb3eed40b7dece817eb17b7fb81a8be532e935cbb53d8c3e9606b918c159eafd480ad48b825f2c3bc5b2ec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c4ac13677f734a001fc44e3a1bd98fe9
SHA1ed259705564818867a40905014251f4785f4deb2
SHA256993e69b4a97fd36c40e914dc9ce43ec0f6864e96eb08caf074345a686801706c
SHA51231695997235594c177201a7c1fa10a1aca66549215f269b57d2315c84ddc7695f486af01f1363c22d7a647c4500973ac9b5aadaf2ce024e99d2761b28e1aa6b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b5b81fa52e58badb426832e3b23ba78b
SHA16ca202148de7e62d1e629cdc9c6753883c517f81
SHA256e68bcb5736114f6349376f0215cfd1ef241dfda1b5f1d7a306aa0c8a1cef9b12
SHA512fc02ef4154888b823085ff38cf1107101cbe7b22d94e6c7e7658db5911f6e18444ce546c25c56d8ab8ac1cb09711493c2115542df1231fac5f681ce895841be0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d3ea887bd0f7aa5f0acd28fb7b15f3e3
SHA13da66ffb75011cf4285a27dc64c0953df3a5e29b
SHA256f610a6e6023ea30a9b242ac6eb1f86de084bfefd39ccdfd1bdce7965cab517f6
SHA51229bdd0b89ba21256d10630beacd1fa703c64119af791813d8df4c07bed2dcd4d5d20e6b7ca03a76b94a4d2f6bcbb75e5018d4cefcc7a6903684d807477b7cd58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5516af324f03bad6af79647093e971dd0
SHA1bd25371fb6fddd5a6c1fdce2517fbd700434bdf0
SHA256956db9cd48b1045d22c4338530c0f8b6113dcf82236c2434cf3af4e8695aec84
SHA51230ca972a05294a22da2611e83ada488a4bbb05d672f04cd42397d47b937c2beb4d12a1fa5af8e647e563daacecd9a26768140cbefd849234538e728ad775cf70
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ead2a93018fb6385b49982c6c5db0805
SHA1556febaa45b4fa39b86b04fa891920496e791631
SHA25650d54c42ed2a4dd682211da1c3b1bbcbe60d171a2c144dd41ac65c1fbf250c98
SHA51210129f3f6feb3aa9089fa1705cb3ff87dd666bab037ded80642adbe0265aed103647bebacd91b9e0a6fe42a9b22234436b8d175bdf115a8274da6935ad2df062
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\89S7I2E8\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_bz2.pydFilesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_cffi_backend.cp312-win_amd64.pydFilesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_decimal.pydFilesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_hashlib.pydFilesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_lzma.pydFilesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\_socket.pydFilesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\base_library.zipFilesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\cryptography\hazmat\bindings\_rust.pydFilesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\libcrypto-3.dllFilesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\select.pydFilesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
C:\Users\Admin\AppData\Local\Temp\_MEI13882\unicodedata.pydFilesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zc3pu3ni.csx.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\Desktop\kill.jpgMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\_MEI13882\_ctypes.pydFilesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
\Users\Admin\AppData\Local\Temp\_MEI13882\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
\Users\Admin\AppData\Local\Temp\_MEI13882\python3.dllFilesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
memory/832-268-0x0000026DFD410000-0x0000026DFD412000-memory.dmpFilesize
8KB
-
memory/832-249-0x0000026DFD220000-0x0000026DFD230000-memory.dmpFilesize
64KB
-
memory/832-233-0x0000026DFD120000-0x0000026DFD130000-memory.dmpFilesize
64KB
-
memory/832-1519-0x0000026D86CA0000-0x0000026D86CA1000-memory.dmpFilesize
4KB
-
memory/832-1520-0x0000026D86CB0000-0x0000026D86CB1000-memory.dmpFilesize
4KB
-
memory/2780-330-0x000001A510900000-0x000001A510A00000-memory.dmpFilesize
1024KB
-
memory/3564-351-0x00000252EA5B0000-0x00000252EA5B2000-memory.dmpFilesize
8KB
-
memory/3564-344-0x00000252EA540000-0x00000252EA542000-memory.dmpFilesize
8KB
-
memory/3564-347-0x00000252EA570000-0x00000252EA572000-memory.dmpFilesize
8KB
-
memory/3564-349-0x00000252EA590000-0x00000252EA592000-memory.dmpFilesize
8KB
-
memory/3564-343-0x00000252D9E40000-0x00000252D9F40000-memory.dmpFilesize
1024KB
-
memory/5012-230-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmpFilesize
9.9MB
-
memory/5012-226-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmpFilesize
9.9MB
-
memory/5012-221-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmpFilesize
9.9MB
-
memory/5012-192-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmpFilesize
9.9MB
-
memory/5012-191-0x000002377C950000-0x000002377C9C6000-memory.dmpFilesize
472KB
-
memory/5012-190-0x00007FFF08F50000-0x00007FFF0993C000-memory.dmpFilesize
9.9MB
-
memory/5012-187-0x000002377C7A0000-0x000002377C7C2000-memory.dmpFilesize
136KB
-
memory/5012-185-0x00007FFF08F53000-0x00007FFF08F54000-memory.dmpFilesize
4KB